| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.19.0
- labels:
- external-secrets.io/component: controller
- name: clusterexternalsecrets.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - external-secrets
- kind: ClusterExternalSecret
- listKind: ClusterExternalSecretList
- plural: clusterexternalsecrets
- shortNames:
- - ces
- singular: clusterexternalsecret
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
- name: Store
- type: string
- - jsonPath: .spec.refreshTime
- name: Refresh Interval
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
- API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
- properties:
- externalSecretMetadata:
- description: The metadata of the external secrets to be created
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- externalSecretName:
- description: |-
- The name of the external secrets to be created.
- Defaults to the name of the ClusterExternalSecret
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- externalSecretSpec:
- description: The spec for the ExternalSecrets to be created
- properties:
- data:
- description: Data defines the connection between the Kubernetes
- Secret keys and the Provider data
- items:
- description: ExternalSecretData defines the connection between
- the Kubernetes Secret key (spec.data.<key>) and the Provider
- data.
- properties:
- remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults
- to None
- enum:
- - None
- - Fetch
- type: string
- nullBytePolicy:
- default: Ignore
- description: Controls how ESO handles fetched secret
- data containing NUL bytes for this source.
- enum:
- - Ignore
- - Fail
- type: string
- property:
- description: Used to select a specific property of the
- Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the
- Provider value, if supported
- type: string
- required:
- - key
- type: object
- secretKey:
- description: The key in the Kubernetes Secret to store the
- value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - CloudsmithAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- - MFA
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore
- to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- required:
- - remoteRef
- - secretKey
- type: object
- type: array
- dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
- items:
- description: |-
- ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
- when using DataFrom to fetch multiple values from a Provider.
- properties:
- extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults
- to None
- enum:
- - None
- - Fetch
- type: string
- nullBytePolicy:
- default: Ignore
- description: Controls how ESO handles fetched secret
- data containing NUL bytes for this source.
- enum:
- - Ignore
- - Fail
- type: string
- property:
- description: Used to select a specific property of the
- Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the
- Provider value, if supported
- type: string
- required:
- - key
- type: object
- find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- name:
- description: Finds secrets based on the name.
- properties:
- regexp:
- description: Finds secrets base
- type: string
- type: object
- nullBytePolicy:
- default: Ignore
- description: Controls how ESO handles fetched secret
- data containing NUL bytes for this find source.
- enum:
- - Ignore
- - Fail
- type: string
- path:
- description: A root path to start the find operations.
- type: string
- tags:
- additionalProperties:
- type: string
- description: Find secrets based on tags.
- type: object
- type: object
- rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
- items:
- description: ExternalSecretRewrite defines how to rewrite
- secret data values before they are written to the Secret.
- maxProperties: 1
- minProperties: 1
- properties:
- merge:
- description: |-
- Used to merge key/values in one single Secret
- The resulting key will contain all values from the specified secrets
- properties:
- conflictPolicy:
- default: Error
- description: Used to define the policy to use
- in conflict resolution.
- enum:
- - Ignore
- - Error
- type: string
- into:
- default: ""
- description: |-
- Used to define the target key of the merge operation.
- Required if strategy is JSON. Ignored otherwise.
- type: string
- priority:
- description: Used to define key priority in conflict
- resolution.
- items:
- type: string
- type: array
- priorityPolicy:
- default: Strict
- description: Used to define the policy when a
- key in the priority list does not exist in the
- input.
- enum:
- - IgnoreNotFound
- - Strict
- type: string
- strategy:
- default: Extract
- description: Used to define the strategy to use
- in the merge operation.
- enum:
- - Extract
- - JSON
- type: string
- type: object
- regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
- properties:
- source:
- description: Used to define the regular expression
- of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern
- of a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- type: array
- sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: GeneratorRef points to a generator custom
- resource.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - CloudsmithAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- - MFA
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore
- to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- type: object
- type: array
- refreshInterval:
- default: 1h0m0s
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h0m0s", "2h30m0s", "10m0s"
- May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
- type: string
- secretStoreRef:
- description: SecretStoreRef defines which SecretStore to fetch
- the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- target:
- default:
- creationPolicy: Owner
- deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created,
- there can be only one target per ExternalSecret.
- properties:
- creationPolicy:
- default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
- enum:
- - Owner
- - Orphan
- - Merge
- - None
- type: string
- deletionPolicy:
- default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
- enum:
- - Delete
- - Merge
- - Retain
- type: string
- immutable:
- description: Immutable defines if the final secret will be
- immutable
- type: boolean
- manifest:
- description: |-
- Manifest defines a custom Kubernetes resource to create instead of a Secret.
- When specified, ExternalSecret will create the resource type defined here
- (e.g., ConfigMap, Custom Resource) instead of a Secret.
- Warning: Using Generic target. Make sure access policies and encryption are properly configured.
- properties:
- apiVersion:
- description: APIVersion of the target resource (e.g.,
- "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD
- Application)
- minLength: 1
- type: string
- kind:
- description: Kind of the target resource (e.g., "ConfigMap",
- "Application")
- minLength: 1
- type: string
- required:
- - apiVersion
- - kind
- type: object
- name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- template:
- description: Template defines a blueprint for the created
- Secret resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- description: TemplateMergePolicy defines how the rendered
- template should be merged with the existing Secret data.
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata
- fields for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- finalizers:
- items:
- type: string
- type: array
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- description: |-
- TemplateFrom specifies a source for templates.
- Each item in the list can either reference a ConfigMap or a Secret resource.
- properties:
- configMap:
- description: TemplateRef specifies a reference to
- either a ConfigMap or a Secret resource.
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- description: TemplateRefItem specifies a key
- in the ConfigMap/Secret to use as a template
- for Secret data.
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- description: TemplateScope specifies how
- the template keys should be interpreted.
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret
- resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- description: TemplateRef specifies a reference to
- either a ConfigMap or a Secret resource.
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- description: TemplateRefItem specifies a key
- in the ConfigMap/Secret to use as a template
- for Secret data.
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- description: TemplateScope specifies how
- the template keys should be interpreted.
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret
- resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- description: |-
- Target specifies where to place the template result.
- For Secret resources, common values are: "Data", "Annotations", "Labels".
- For custom resources (when spec.target.manifest is set), this supports
- nested paths like "spec.database.config" or "data".
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- type: object
- type: object
- namespaceSelector:
- description: |-
- The labels to select by to find the Namespaces to create the ExternalSecrets in.
- Deprecated: Use NamespaceSelectors instead.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaceSelectors:
- description: A list of labels to select by to find the Namespaces
- to create the ExternalSecrets in. The selectors are ORed.
- items:
- description: |-
- A label selector is a label query over a set of resources. The result of matchLabels and
- matchExpressions are ANDed. An empty label selector matches all objects. A null
- label selector matches no objects.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: array
- namespaces:
- description: |-
- Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
- Deprecated: Use NamespaceSelectors instead.
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- refreshTime:
- description: The time in which the controller should reconcile its
- objects and recheck namespaces for labels.
- type: string
- required:
- - externalSecretSpec
- type: object
- status:
- description: ClusterExternalSecretStatus defines the observed state of
- ClusterExternalSecret.
- properties:
- conditions:
- items:
- description: ClusterExternalSecretStatusCondition defines the observed
- state of a ClusterExternalSecret resource.
- properties:
- message:
- type: string
- status:
- type: string
- type:
- description: ClusterExternalSecretConditionType defines a value
- type for ClusterExternalSecret conditions.
- type: string
- required:
- - status
- - type
- type: object
- type: array
- externalSecretName:
- description: ExternalSecretName is the name of the ExternalSecrets
- created by the ClusterExternalSecret
- type: string
- failedNamespaces:
- description: Failed namespaces are the namespaces that failed to apply
- an ExternalSecret
- items:
- description: ClusterExternalSecretNamespaceFailure represents a
- failed namespace deployment and it's reason.
- properties:
- namespace:
- description: Namespace is the namespace that failed when trying
- to apply an ExternalSecret
- type: string
- reason:
- description: Reason is why the ExternalSecret failed to apply
- to the namespace
- type: string
- required:
- - namespace
- type: object
- type: array
- provisionedNamespaces:
- description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
- has secrets
- items:
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
- name: Store
- type: string
- - jsonPath: .spec.refreshTime
- name: Refresh Interval
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- deprecated: true
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: ClusterExternalSecret is the schema for the clusterexternalsecrets
- API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
- properties:
- externalSecretMetadata:
- description: The metadata of the external secrets to be created
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- externalSecretName:
- description: |-
- The name of the external secrets to be created.
- Defaults to the name of the ClusterExternalSecret
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- externalSecretSpec:
- description: The spec for the ExternalSecrets to be created
- properties:
- data:
- description: Data defines the connection between the Kubernetes
- Secret keys and the Provider data
- items:
- description: ExternalSecretData defines the connection between
- the Kubernetes Secret key (spec.data.<key>) and the Provider
- data.
- properties:
- remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults
- to None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the
- Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the
- Provider value, if supported
- type: string
- required:
- - key
- type: object
- secretKey:
- description: The key in the Kubernetes Secret to store the
- value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore
- to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- required:
- - remoteRef
- - secretKey
- type: object
- type: array
- dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
- items:
- description: ExternalSecretDataFromRemoteRef defines a reference
- to multiple secrets in the provider to be fetched using options.
- properties:
- extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider
- secrets, possible options are Fetch, None. Defaults
- to None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the
- Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the
- Provider value, if supported
- type: string
- required:
- - key
- type: object
- find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- name:
- description: Finds secrets based on the name.
- properties:
- regexp:
- description: Finds secrets base
- type: string
- type: object
- path:
- description: A root path to start the find operations.
- type: string
- tags:
- additionalProperties:
- type: string
- description: Find secrets based on tags.
- type: object
- type: object
- rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
- items:
- description: ExternalSecretRewrite defines rules on how
- to rewrite secret keys.
- maxProperties: 1
- minProperties: 1
- properties:
- regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
- properties:
- source:
- description: Used to define the regular expression
- of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern
- of a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- type: array
- sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: GeneratorRef points to a generator custom
- resource.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator
- resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore
- to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- type: object
- type: array
- refreshInterval:
- default: 1h0m0s
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h0m0s", "2h30m0s", "10m0s"
- May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
- type: string
- secretStoreRef:
- description: SecretStoreRef defines which SecretStore to fetch
- the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- target:
- default:
- creationPolicy: Owner
- deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
- properties:
- creationPolicy:
- default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
- enum:
- - Owner
- - Orphan
- - Merge
- - None
- type: string
- deletionPolicy:
- default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
- enum:
- - Delete
- - Merge
- - Retain
- type: string
- immutable:
- description: Immutable defines if the final secret will be
- immutable
- type: boolean
- name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- template:
- description: Template defines a blueprint for the created
- Secret resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- description: TemplateMergePolicy defines how template
- values should be merged when generating a secret.
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata
- fields for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- description: TemplateFrom defines a source for template
- data.
- properties:
- configMap:
- description: TemplateRef defines a reference to
- a template source in a ConfigMap or Secret.
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- description: TemplateRefItem defines which
- key in the referenced ConfigMap or Secret
- to use as a template.
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- description: TemplateScope defines the
- scope of the template when processing
- template data.
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret
- resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- description: TemplateRef defines a reference to
- a template source in a ConfigMap or Secret.
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- description: TemplateRefItem defines which
- key in the referenced ConfigMap or Secret
- to use as a template.
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- description: TemplateScope defines the
- scope of the template when processing
- template data.
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret
- resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- description: TemplateTarget defines the target field
- where the template result will be stored.
- enum:
- - Data
- - Annotations
- - Labels
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- type: object
- type: object
- namespaceSelector:
- description: The labels to select by to find the Namespaces to create
- the ExternalSecrets in
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaceSelectors:
- description: A list of labels to select by to find the Namespaces
- to create the ExternalSecrets in. The selectors are ORed.
- items:
- description: |-
- A label selector is a label query over a set of resources. The result of matchLabels and
- matchExpressions are ANDed. An empty label selector matches all objects. A null
- label selector matches no objects.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: array
- namespaces:
- description: |-
- Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
- Deprecated: Use NamespaceSelectors instead.
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- refreshTime:
- description: The time in which the controller should reconcile its
- objects and recheck namespaces for labels.
- type: string
- required:
- - externalSecretSpec
- type: object
- status:
- description: ClusterExternalSecretStatus defines the observed state of
- ClusterExternalSecret.
- properties:
- conditions:
- items:
- description: ClusterExternalSecretStatusCondition indicates the
- status of the ClusterExternalSecret.
- properties:
- message:
- type: string
- status:
- type: string
- type:
- description: ClusterExternalSecretConditionType indicates the
- condition of the ClusterExternalSecret.
- type: string
- required:
- - status
- - type
- type: object
- type: array
- externalSecretName:
- description: ExternalSecretName is the name of the ExternalSecrets
- created by the ClusterExternalSecret
- type: string
- failedNamespaces:
- description: Failed namespaces are the namespaces that failed to apply
- an ExternalSecret
- items:
- description: ClusterExternalSecretNamespaceFailure represents a
- failed namespace deployment and it's reason.
- properties:
- namespace:
- description: Namespace is the namespace that failed when trying
- to apply an ExternalSecret
- type: string
- reason:
- description: Reason is why the ExternalSecret failed to apply
- to the namespace
- type: string
- required:
- - namespace
- type: object
- type: array
- provisionedNamespaces:
- description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
- has secrets
- items:
- type: string
- type: array
- type: object
- type: object
- served: false
- storage: false
- subresources:
- status: {}
|
