generators.external-secrets.io_clustergenerators.yaml 152 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clustergenerators.generators.external-secrets.io
  9. spec:
  10. group: generators.external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. - external-secrets-generators
  15. kind: ClusterGenerator
  16. listKind: ClusterGeneratorList
  17. plural: clustergenerators
  18. singular: clustergenerator
  19. scope: Cluster
  20. versions:
  21. - name: v1alpha1
  22. schema:
  23. openAPIV3Schema:
  24. description: ClusterGenerator represents a cluster-wide generator which can
  25. be referenced as part of `generatorRef` fields.
  26. properties:
  27. apiVersion:
  28. description: |-
  29. APIVersion defines the versioned schema of this representation of an object.
  30. Servers should convert recognized schemas to the latest internal value, and
  31. may reject unrecognized values.
  32. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  33. type: string
  34. kind:
  35. description: |-
  36. Kind is a string value representing the REST resource this object represents.
  37. Servers may infer this from the endpoint the client submits requests to.
  38. Cannot be updated.
  39. In CamelCase.
  40. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  41. type: string
  42. metadata:
  43. type: object
  44. spec:
  45. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  46. properties:
  47. generator:
  48. description: Generator the spec for this generator, must match the
  49. kind.
  50. maxProperties: 1
  51. minProperties: 1
  52. properties:
  53. acrAccessTokenSpec:
  54. description: |-
  55. ACRAccessTokenSpec defines how to generate the access token
  56. e.g. how to authenticate and which registry to use.
  57. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  58. properties:
  59. auth:
  60. description: ACRAuth defines the authentication methods for
  61. Azure Container Registry.
  62. properties:
  63. managedIdentity:
  64. description: ManagedIdentity uses Azure Managed Identity
  65. to authenticate with Azure.
  66. properties:
  67. identityId:
  68. description: If multiple Managed Identity is assigned
  69. to the pod, you can select the one to be used
  70. type: string
  71. type: object
  72. servicePrincipal:
  73. description: ServicePrincipal uses Azure Service Principal
  74. credentials to authenticate with Azure.
  75. properties:
  76. secretRef:
  77. description: |-
  78. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  79. It uses static credentials stored in a Kind=Secret.
  80. properties:
  81. clientId:
  82. description: The Azure clientId of the service
  83. principle used for authentication.
  84. properties:
  85. key:
  86. description: |-
  87. A key in the referenced Secret.
  88. Some instances of this field may be defaulted, in others it may be required.
  89. maxLength: 253
  90. minLength: 1
  91. pattern: ^[-._a-zA-Z0-9]+$
  92. type: string
  93. name:
  94. description: The name of the Secret resource
  95. being referred to.
  96. maxLength: 253
  97. minLength: 1
  98. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  99. type: string
  100. namespace:
  101. description: |-
  102. The namespace of the Secret resource being referred to.
  103. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  104. maxLength: 63
  105. minLength: 1
  106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  107. type: string
  108. type: object
  109. clientSecret:
  110. description: The Azure ClientSecret of the service
  111. principle used for authentication.
  112. properties:
  113. key:
  114. description: |-
  115. A key in the referenced Secret.
  116. Some instances of this field may be defaulted, in others it may be required.
  117. maxLength: 253
  118. minLength: 1
  119. pattern: ^[-._a-zA-Z0-9]+$
  120. type: string
  121. name:
  122. description: The name of the Secret resource
  123. being referred to.
  124. maxLength: 253
  125. minLength: 1
  126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  127. type: string
  128. namespace:
  129. description: |-
  130. The namespace of the Secret resource being referred to.
  131. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  132. maxLength: 63
  133. minLength: 1
  134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  135. type: string
  136. type: object
  137. type: object
  138. required:
  139. - secretRef
  140. type: object
  141. workloadIdentity:
  142. description: WorkloadIdentity uses Azure Workload Identity
  143. to authenticate with Azure.
  144. properties:
  145. serviceAccountRef:
  146. description: |-
  147. ServiceAccountRef specified the service account
  148. that should be used when authenticating with WorkloadIdentity.
  149. properties:
  150. audiences:
  151. description: |-
  152. Audience specifies the `aud` claim for the service account token
  153. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  154. then this audiences will be appended to the list
  155. items:
  156. type: string
  157. type: array
  158. name:
  159. description: The name of the ServiceAccount resource
  160. being referred to.
  161. maxLength: 253
  162. minLength: 1
  163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  164. type: string
  165. namespace:
  166. description: |-
  167. Namespace of the resource being referred to.
  168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  169. maxLength: 63
  170. minLength: 1
  171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  172. type: string
  173. required:
  174. - name
  175. type: object
  176. type: object
  177. type: object
  178. environmentType:
  179. default: PublicCloud
  180. description: |-
  181. EnvironmentType specifies the Azure cloud environment endpoints to use for
  182. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  183. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  184. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  185. enum:
  186. - PublicCloud
  187. - USGovernmentCloud
  188. - ChinaCloud
  189. - GermanCloud
  190. - AzureStackCloud
  191. type: string
  192. registry:
  193. description: |-
  194. the domain name of the ACR registry
  195. e.g. foobarexample.azurecr.io
  196. type: string
  197. scope:
  198. description: |-
  199. Define the scope for the access token, e.g. pull/push access for a repository.
  200. if not provided it will return a refresh token that has full scope.
  201. Note: you need to pin it down to the repository level, there is no wildcard available.
  202. examples:
  203. repository:my-repository:pull,push
  204. repository:my-repository:pull
  205. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  206. type: string
  207. tenantId:
  208. description: TenantID configures the Azure Tenant to send
  209. requests to. Required for ServicePrincipal auth type.
  210. type: string
  211. required:
  212. - auth
  213. - registry
  214. type: object
  215. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  216. description: |-
  217. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  218. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  219. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  220. properties:
  221. controller:
  222. description: |-
  223. Controller selects the controller that should handle this generator.
  224. Leave empty to use the default controller.
  225. type: string
  226. provider:
  227. description: |-
  228. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  229. server connection details, and the folder path to the dynamic secret definition.
  230. The folderPath should point to a dynamic secret definition that has been created in
  231. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  232. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  233. properties:
  234. auth:
  235. description: |-
  236. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  237. Currently supports API key authentication via Kubernetes secret reference.
  238. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  239. properties:
  240. apikey:
  241. description: |-
  242. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  243. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  244. properties:
  245. token:
  246. description: |-
  247. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  248. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  249. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  250. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  251. properties:
  252. key:
  253. description: |-
  254. A key in the referenced Secret.
  255. Some instances of this field may be defaulted, in others it may be required.
  256. maxLength: 253
  257. minLength: 1
  258. pattern: ^[-._a-zA-Z0-9]+$
  259. type: string
  260. name:
  261. description: The name of the Secret resource
  262. being referred to.
  263. maxLength: 253
  264. minLength: 1
  265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  266. type: string
  267. namespace:
  268. description: |-
  269. The namespace of the Secret resource being referred to.
  270. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  271. maxLength: 63
  272. minLength: 1
  273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  274. type: string
  275. type: object
  276. required:
  277. - token
  278. type: object
  279. required:
  280. - apikey
  281. type: object
  282. caBundle:
  283. description: |-
  284. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  285. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  286. If not set, the system's trusted root certificates are used.
  287. format: byte
  288. type: string
  289. caProvider:
  290. description: |-
  291. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  292. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  293. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  294. properties:
  295. key:
  296. description: The key where the CA certificate can
  297. be found in the Secret or ConfigMap.
  298. maxLength: 253
  299. minLength: 1
  300. pattern: ^[-._a-zA-Z0-9]+$
  301. type: string
  302. name:
  303. description: The name of the object located at the
  304. provider type.
  305. maxLength: 253
  306. minLength: 1
  307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  308. type: string
  309. namespace:
  310. description: |-
  311. The namespace the Provider type is in.
  312. Can only be defined when used in a ClusterSecretStore.
  313. maxLength: 63
  314. minLength: 1
  315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  316. type: string
  317. type:
  318. description: The type of provider to use such as "Secret",
  319. or "ConfigMap".
  320. enum:
  321. - Secret
  322. - ConfigMap
  323. type: string
  324. required:
  325. - name
  326. - type
  327. type: object
  328. folderPath:
  329. description: |-
  330. FolderPath specifies the default folder path for secret retrieval.
  331. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  332. Example: "production/database" or "dev/api-keys"
  333. Leave empty to retrieve secrets from the root folder.
  334. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  335. type: string
  336. server:
  337. description: |-
  338. Server configures the BeyondTrust Workload Credentials server connection details.
  339. Includes the API URL and Site ID for your BeyondTrust instance.
  340. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  341. properties:
  342. apiUrl:
  343. description: |-
  344. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  345. This should be the full URL to your BeyondTrust instance.
  346. Example: https://api.beyondtrust.io/siie
  347. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  348. type: string
  349. siteId:
  350. description: |-
  351. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  352. This identifier is unique to your BeyondTrust Workload Credentials instance.
  353. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  354. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  355. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  356. type: string
  357. required:
  358. - apiUrl
  359. - siteId
  360. type: object
  361. required:
  362. - auth
  363. - server
  364. type: object
  365. retrySettings:
  366. description: |-
  367. RetrySettings configures exponential backoff for failed API requests.
  368. If not specified, uses the default retry settings.
  369. properties:
  370. maxRetries:
  371. format: int32
  372. type: integer
  373. retryInterval:
  374. type: string
  375. type: object
  376. required:
  377. - provider
  378. type: object
  379. cloudsmithAccessTokenSpec:
  380. description: CloudsmithAccessTokenSpec defines the configuration
  381. for generating a Cloudsmith access token using OIDC authentication.
  382. properties:
  383. apiUrl:
  384. description: APIURL configures the Cloudsmith API URL. Defaults
  385. to https://api.cloudsmith.io.
  386. type: string
  387. orgSlug:
  388. description: OrgSlug is the organization slug in Cloudsmith
  389. type: string
  390. serviceAccountRef:
  391. description: Name of the service account you are federating
  392. with
  393. properties:
  394. audiences:
  395. description: |-
  396. Audience specifies the `aud` claim for the service account token
  397. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  398. then this audiences will be appended to the list
  399. items:
  400. type: string
  401. type: array
  402. name:
  403. description: The name of the ServiceAccount resource being
  404. referred to.
  405. maxLength: 253
  406. minLength: 1
  407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  408. type: string
  409. namespace:
  410. description: |-
  411. Namespace of the resource being referred to.
  412. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  413. maxLength: 63
  414. minLength: 1
  415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  416. type: string
  417. required:
  418. - name
  419. type: object
  420. serviceSlug:
  421. description: ServiceSlug is the service slug in Cloudsmith
  422. for OIDC authentication
  423. type: string
  424. required:
  425. - orgSlug
  426. - serviceAccountRef
  427. - serviceSlug
  428. type: object
  429. ecrAuthorizationTokenSpec:
  430. description: ECRAuthorizationTokenSpec defines the desired state
  431. to generate an AWS ECR authorization token.
  432. properties:
  433. auth:
  434. description: Auth defines how to authenticate with AWS
  435. properties:
  436. jwt:
  437. description: AWSJWTAuth provides configuration to authenticate
  438. against AWS using service account tokens.
  439. properties:
  440. serviceAccountRef:
  441. description: ServiceAccountSelector is a reference
  442. to a ServiceAccount resource.
  443. properties:
  444. audiences:
  445. description: |-
  446. Audience specifies the `aud` claim for the service account token
  447. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  448. then this audiences will be appended to the list
  449. items:
  450. type: string
  451. type: array
  452. name:
  453. description: The name of the ServiceAccount resource
  454. being referred to.
  455. maxLength: 253
  456. minLength: 1
  457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  458. type: string
  459. namespace:
  460. description: |-
  461. Namespace of the resource being referred to.
  462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  463. maxLength: 63
  464. minLength: 1
  465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  466. type: string
  467. required:
  468. - name
  469. type: object
  470. type: object
  471. secretRef:
  472. description: |-
  473. AWSAuthSecretRef holds secret references for AWS credentials
  474. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  475. properties:
  476. accessKeyIDSecretRef:
  477. description: The AccessKeyID is used for authentication
  478. properties:
  479. key:
  480. description: |-
  481. A key in the referenced Secret.
  482. Some instances of this field may be defaulted, in others it may be required.
  483. maxLength: 253
  484. minLength: 1
  485. pattern: ^[-._a-zA-Z0-9]+$
  486. type: string
  487. name:
  488. description: The name of the Secret resource being
  489. referred to.
  490. maxLength: 253
  491. minLength: 1
  492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  493. type: string
  494. namespace:
  495. description: |-
  496. The namespace of the Secret resource being referred to.
  497. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  498. maxLength: 63
  499. minLength: 1
  500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  501. type: string
  502. type: object
  503. secretAccessKeySecretRef:
  504. description: The SecretAccessKey is used for authentication
  505. properties:
  506. key:
  507. description: |-
  508. A key in the referenced Secret.
  509. Some instances of this field may be defaulted, in others it may be required.
  510. maxLength: 253
  511. minLength: 1
  512. pattern: ^[-._a-zA-Z0-9]+$
  513. type: string
  514. name:
  515. description: The name of the Secret resource being
  516. referred to.
  517. maxLength: 253
  518. minLength: 1
  519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  520. type: string
  521. namespace:
  522. description: |-
  523. The namespace of the Secret resource being referred to.
  524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  525. maxLength: 63
  526. minLength: 1
  527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  528. type: string
  529. type: object
  530. sessionTokenSecretRef:
  531. description: |-
  532. The SessionToken used for authentication
  533. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  534. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  535. properties:
  536. key:
  537. description: |-
  538. A key in the referenced Secret.
  539. Some instances of this field may be defaulted, in others it may be required.
  540. maxLength: 253
  541. minLength: 1
  542. pattern: ^[-._a-zA-Z0-9]+$
  543. type: string
  544. name:
  545. description: The name of the Secret resource being
  546. referred to.
  547. maxLength: 253
  548. minLength: 1
  549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  550. type: string
  551. namespace:
  552. description: |-
  553. The namespace of the Secret resource being referred to.
  554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  555. maxLength: 63
  556. minLength: 1
  557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  558. type: string
  559. type: object
  560. type: object
  561. type: object
  562. region:
  563. description: Region specifies the region to operate in.
  564. type: string
  565. role:
  566. description: |-
  567. You can assume a role before making calls to the
  568. desired AWS service.
  569. type: string
  570. scope:
  571. description: |-
  572. Scope specifies the ECR service scope.
  573. Valid options are private and public.
  574. type: string
  575. required:
  576. - region
  577. type: object
  578. fakeSpec:
  579. description: FakeSpec contains the static data.
  580. properties:
  581. controller:
  582. description: |-
  583. Used to select the correct ESO controller (think: ingress.ingressClassName)
  584. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  585. type: string
  586. data:
  587. additionalProperties:
  588. type: string
  589. description: |-
  590. Data defines the static data returned
  591. by this generator.
  592. type: object
  593. type: object
  594. gcrAccessTokenSpec:
  595. description: GCRAccessTokenSpec defines the desired state to generate
  596. a Google Container Registry access token.
  597. properties:
  598. auth:
  599. description: Auth defines the means for authenticating with
  600. GCP
  601. properties:
  602. secretRef:
  603. description: GCPSMAuthSecretRef defines the reference
  604. to a secret containing Google Cloud Platform credentials.
  605. properties:
  606. secretAccessKeySecretRef:
  607. description: The SecretAccessKey is used for authentication
  608. properties:
  609. key:
  610. description: |-
  611. A key in the referenced Secret.
  612. Some instances of this field may be defaulted, in others it may be required.
  613. maxLength: 253
  614. minLength: 1
  615. pattern: ^[-._a-zA-Z0-9]+$
  616. type: string
  617. name:
  618. description: The name of the Secret resource being
  619. referred to.
  620. maxLength: 253
  621. minLength: 1
  622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  623. type: string
  624. namespace:
  625. description: |-
  626. The namespace of the Secret resource being referred to.
  627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  628. maxLength: 63
  629. minLength: 1
  630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  631. type: string
  632. type: object
  633. type: object
  634. workloadIdentity:
  635. description: GCPWorkloadIdentity defines the configuration
  636. for using GCP Workload Identity authentication.
  637. properties:
  638. clusterLocation:
  639. type: string
  640. clusterName:
  641. type: string
  642. clusterProjectID:
  643. type: string
  644. serviceAccountRef:
  645. description: ServiceAccountSelector is a reference
  646. to a ServiceAccount resource.
  647. properties:
  648. audiences:
  649. description: |-
  650. Audience specifies the `aud` claim for the service account token
  651. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  652. then this audiences will be appended to the list
  653. items:
  654. type: string
  655. type: array
  656. name:
  657. description: The name of the ServiceAccount resource
  658. being referred to.
  659. maxLength: 253
  660. minLength: 1
  661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  662. type: string
  663. namespace:
  664. description: |-
  665. Namespace of the resource being referred to.
  666. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  667. maxLength: 63
  668. minLength: 1
  669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  670. type: string
  671. required:
  672. - name
  673. type: object
  674. required:
  675. - clusterLocation
  676. - clusterName
  677. - serviceAccountRef
  678. type: object
  679. workloadIdentityFederation:
  680. description: GCPWorkloadIdentityFederation holds the configurations
  681. required for generating federated access tokens.
  682. properties:
  683. audience:
  684. description: |-
  685. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  686. If specified, Audience found in the external account credential config will be overridden with the configured value.
  687. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  688. type: string
  689. awsSecurityCredentials:
  690. description: |-
  691. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  692. when using the AWS metadata server is not an option.
  693. properties:
  694. awsCredentialsSecretRef:
  695. description: |-
  696. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  697. Secret should be created with below names for keys
  698. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  699. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  700. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  701. properties:
  702. name:
  703. description: name of the secret.
  704. maxLength: 253
  705. minLength: 1
  706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  707. type: string
  708. namespace:
  709. description: namespace in which the secret
  710. exists. If empty, secret will looked up
  711. in local namespace.
  712. maxLength: 63
  713. minLength: 1
  714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  715. type: string
  716. required:
  717. - name
  718. type: object
  719. region:
  720. description: region is for configuring the AWS
  721. region to be used.
  722. example: ap-south-1
  723. maxLength: 50
  724. minLength: 1
  725. pattern: ^[a-z0-9-]+$
  726. type: string
  727. required:
  728. - awsCredentialsSecretRef
  729. - region
  730. type: object
  731. credConfig:
  732. description: |-
  733. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  734. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  735. serviceAccountRef must be used by providing operators service account details.
  736. properties:
  737. key:
  738. description: key name holding the external account
  739. credential config.
  740. maxLength: 253
  741. minLength: 1
  742. pattern: ^[-._a-zA-Z0-9]+$
  743. type: string
  744. name:
  745. description: name of the configmap.
  746. maxLength: 253
  747. minLength: 1
  748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  749. type: string
  750. namespace:
  751. description: namespace in which the configmap
  752. exists. If empty, configmap will looked up in
  753. local namespace.
  754. maxLength: 63
  755. minLength: 1
  756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  757. type: string
  758. required:
  759. - key
  760. - name
  761. type: object
  762. externalTokenEndpoint:
  763. description: |-
  764. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  765. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  766. URL is having the expected value.
  767. type: string
  768. gcpServiceAccountEmail:
  769. description: |-
  770. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  771. after Workload Identity Federation. Use this to grant access through the service account's
  772. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  773. service_account_impersonation_url in the external account JSON from credConfig;
  774. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  775. on that ServiceAccount.
  776. example: my-gsa@my-project.iam.gserviceaccount.com
  777. minLength: 1
  778. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  779. type: string
  780. serviceAccountRef:
  781. description: |-
  782. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  783. when Kubernetes is configured as provider in workload identity pool.
  784. properties:
  785. audiences:
  786. description: |-
  787. Audience specifies the `aud` claim for the service account token
  788. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  789. then this audiences will be appended to the list
  790. items:
  791. type: string
  792. type: array
  793. name:
  794. description: The name of the ServiceAccount resource
  795. being referred to.
  796. maxLength: 253
  797. minLength: 1
  798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  799. type: string
  800. namespace:
  801. description: |-
  802. Namespace of the resource being referred to.
  803. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  804. maxLength: 63
  805. minLength: 1
  806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  807. type: string
  808. required:
  809. - name
  810. type: object
  811. type: object
  812. type: object
  813. projectID:
  814. description: ProjectID defines which project to use to authenticate
  815. with
  816. type: string
  817. required:
  818. - auth
  819. - projectID
  820. type: object
  821. githubAccessTokenSpec:
  822. description: GithubAccessTokenSpec defines the desired state to
  823. generate a GitHub access token.
  824. properties:
  825. appID:
  826. type: string
  827. auth:
  828. description: Auth configures how ESO authenticates with a
  829. Github instance.
  830. properties:
  831. privateKey:
  832. description: GithubSecretRef references a secret containing
  833. GitHub credentials.
  834. properties:
  835. secretRef:
  836. description: |-
  837. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  838. In some instances, `key` is a required field.
  839. properties:
  840. key:
  841. description: |-
  842. A key in the referenced Secret.
  843. Some instances of this field may be defaulted, in others it may be required.
  844. maxLength: 253
  845. minLength: 1
  846. pattern: ^[-._a-zA-Z0-9]+$
  847. type: string
  848. name:
  849. description: The name of the Secret resource being
  850. referred to.
  851. maxLength: 253
  852. minLength: 1
  853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  854. type: string
  855. namespace:
  856. description: |-
  857. The namespace of the Secret resource being referred to.
  858. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  859. maxLength: 63
  860. minLength: 1
  861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  862. type: string
  863. type: object
  864. required:
  865. - secretRef
  866. type: object
  867. required:
  868. - privateKey
  869. type: object
  870. installID:
  871. type: string
  872. permissions:
  873. additionalProperties:
  874. type: string
  875. description: Map of permissions the token will have. If omitted,
  876. defaults to all permissions the GitHub App has.
  877. type: object
  878. repositories:
  879. description: |-
  880. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  881. is installed to.
  882. items:
  883. type: string
  884. type: array
  885. url:
  886. description: URL configures the GitHub instance URL. Defaults
  887. to https://github.com/.
  888. type: string
  889. required:
  890. - appID
  891. - auth
  892. - installID
  893. type: object
  894. grafanaSpec:
  895. description: GrafanaSpec controls the behavior of the grafana
  896. generator.
  897. properties:
  898. auth:
  899. description: |-
  900. Auth is the authentication configuration to authenticate
  901. against the Grafana instance.
  902. properties:
  903. basic:
  904. description: |-
  905. Basic auth credentials used to authenticate against the Grafana instance.
  906. Note: you need a token which has elevated permissions to create service accounts.
  907. See here for the documentation on basic roles offered by Grafana:
  908. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  909. properties:
  910. password:
  911. description: A basic auth password used to authenticate
  912. against the Grafana instance.
  913. properties:
  914. key:
  915. description: The key where the token is found.
  916. maxLength: 253
  917. minLength: 1
  918. pattern: ^[-._a-zA-Z0-9]+$
  919. type: string
  920. name:
  921. description: The name of the Secret resource being
  922. referred to.
  923. maxLength: 253
  924. minLength: 1
  925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  926. type: string
  927. type: object
  928. username:
  929. description: A basic auth username used to authenticate
  930. against the Grafana instance.
  931. type: string
  932. required:
  933. - password
  934. - username
  935. type: object
  936. token:
  937. description: |-
  938. A service account token used to authenticate against the Grafana instance.
  939. Note: you need a token which has elevated permissions to create service accounts.
  940. See here for the documentation on basic roles offered by Grafana:
  941. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  942. properties:
  943. key:
  944. description: The key where the token is found.
  945. maxLength: 253
  946. minLength: 1
  947. pattern: ^[-._a-zA-Z0-9]+$
  948. type: string
  949. name:
  950. description: The name of the Secret resource being
  951. referred to.
  952. maxLength: 253
  953. minLength: 1
  954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  955. type: string
  956. type: object
  957. type: object
  958. serviceAccount:
  959. description: |-
  960. ServiceAccount is the configuration for the service account that
  961. is supposed to be generated by the generator.
  962. properties:
  963. name:
  964. description: Name is the name of the service account that
  965. will be created by ESO.
  966. type: string
  967. role:
  968. description: |-
  969. Role is the role of the service account.
  970. See here for the documentation on basic roles offered by Grafana:
  971. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  972. type: string
  973. required:
  974. - name
  975. - role
  976. type: object
  977. url:
  978. description: URL is the URL of the Grafana instance.
  979. type: string
  980. required:
  981. - auth
  982. - serviceAccount
  983. - url
  984. type: object
  985. mfaSpec:
  986. description: MFASpec controls the behavior of the mfa generator.
  987. properties:
  988. algorithm:
  989. description: Algorithm to use for encoding. Defaults to SHA1
  990. as per the RFC.
  991. type: string
  992. length:
  993. description: Length defines the token length. Defaults to
  994. 6 characters.
  995. type: integer
  996. secret:
  997. description: Secret is a secret selector to a secret containing
  998. the seed secret to generate the TOTP value from.
  999. properties:
  1000. key:
  1001. description: |-
  1002. A key in the referenced Secret.
  1003. Some instances of this field may be defaulted, in others it may be required.
  1004. maxLength: 253
  1005. minLength: 1
  1006. pattern: ^[-._a-zA-Z0-9]+$
  1007. type: string
  1008. name:
  1009. description: The name of the Secret resource being referred
  1010. to.
  1011. maxLength: 253
  1012. minLength: 1
  1013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1014. type: string
  1015. namespace:
  1016. description: |-
  1017. The namespace of the Secret resource being referred to.
  1018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1019. maxLength: 63
  1020. minLength: 1
  1021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1022. type: string
  1023. type: object
  1024. timePeriod:
  1025. description: TimePeriod defines how long the token can be
  1026. active. Defaults to 30 seconds.
  1027. type: integer
  1028. when:
  1029. description: When defines a time parameter that can be used
  1030. to pin the origin time of the generated token.
  1031. format: date-time
  1032. type: string
  1033. required:
  1034. - secret
  1035. type: object
  1036. passwordSpec:
  1037. description: PasswordSpec controls the behavior of the password
  1038. generator.
  1039. properties:
  1040. allowRepeat:
  1041. default: false
  1042. description: set AllowRepeat to true to allow repeating characters.
  1043. type: boolean
  1044. digits:
  1045. description: |-
  1046. Digits specifies the number of digits in the generated
  1047. password. If omitted it defaults to 25% of the length of the password
  1048. type: integer
  1049. encoding:
  1050. default: raw
  1051. description: |-
  1052. Encoding specifies the encoding of the generated password.
  1053. Valid values are:
  1054. - "raw" (default): no encoding
  1055. - "base64": standard base64 encoding
  1056. - "base64url": base64url encoding
  1057. - "base32": base32 encoding
  1058. - "hex": hexadecimal encoding
  1059. enum:
  1060. - base64
  1061. - base64url
  1062. - base32
  1063. - hex
  1064. - raw
  1065. type: string
  1066. length:
  1067. default: 24
  1068. description: |-
  1069. Length of the password to be generated.
  1070. Defaults to 24
  1071. type: integer
  1072. noUpper:
  1073. default: false
  1074. description: Set NoUpper to disable uppercase characters
  1075. type: boolean
  1076. secretKeys:
  1077. description: |-
  1078. SecretKeys defines the keys that will be populated with generated passwords.
  1079. Defaults to "password" when not set.
  1080. items:
  1081. type: string
  1082. minItems: 1
  1083. type: array
  1084. symbolCharacters:
  1085. description: |-
  1086. SymbolCharacters specifies the special characters that should be used
  1087. in the generated password.
  1088. type: string
  1089. symbols:
  1090. description: |-
  1091. Symbols specifies the number of symbol characters in the generated
  1092. password. If omitted it defaults to 25% of the length of the password
  1093. type: integer
  1094. required:
  1095. - allowRepeat
  1096. - length
  1097. - noUpper
  1098. type: object
  1099. quayAccessTokenSpec:
  1100. description: QuayAccessTokenSpec defines the desired state to
  1101. generate a Quay access token.
  1102. properties:
  1103. robotAccount:
  1104. description: Name of the robot account you are federating
  1105. with
  1106. type: string
  1107. serviceAccountRef:
  1108. description: Name of the service account you are federating
  1109. with
  1110. properties:
  1111. audiences:
  1112. description: |-
  1113. Audience specifies the `aud` claim for the service account token
  1114. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1115. then this audiences will be appended to the list
  1116. items:
  1117. type: string
  1118. type: array
  1119. name:
  1120. description: The name of the ServiceAccount resource being
  1121. referred to.
  1122. maxLength: 253
  1123. minLength: 1
  1124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1125. type: string
  1126. namespace:
  1127. description: |-
  1128. Namespace of the resource being referred to.
  1129. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1130. maxLength: 63
  1131. minLength: 1
  1132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1133. type: string
  1134. required:
  1135. - name
  1136. type: object
  1137. url:
  1138. description: URL configures the Quay instance URL. Defaults
  1139. to quay.io.
  1140. type: string
  1141. required:
  1142. - robotAccount
  1143. - serviceAccountRef
  1144. type: object
  1145. sshKeySpec:
  1146. description: SSHKeySpec controls the behavior of the ssh key generator.
  1147. properties:
  1148. comment:
  1149. description: Comment specifies an optional comment for the
  1150. SSH key
  1151. type: string
  1152. keySize:
  1153. description: |-
  1154. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  1155. For RSA keys: 2048, 3072, 4096
  1156. For ECDSA keys: 256, 384, 521
  1157. Ignored for ed25519 keys
  1158. maximum: 8192
  1159. minimum: 256
  1160. type: integer
  1161. keyType:
  1162. default: rsa
  1163. description: KeyType specifies the SSH key type (rsa, ecdsa,
  1164. ed25519)
  1165. enum:
  1166. - rsa
  1167. - ecdsa
  1168. - ed25519
  1169. type: string
  1170. type: object
  1171. stsSessionTokenSpec:
  1172. description: STSSessionTokenSpec defines the desired state to
  1173. generate an AWS STS session token.
  1174. properties:
  1175. auth:
  1176. description: Auth defines how to authenticate with AWS
  1177. properties:
  1178. jwt:
  1179. description: AWSJWTAuth provides configuration to authenticate
  1180. against AWS using service account tokens.
  1181. properties:
  1182. serviceAccountRef:
  1183. description: ServiceAccountSelector is a reference
  1184. to a ServiceAccount resource.
  1185. properties:
  1186. audiences:
  1187. description: |-
  1188. Audience specifies the `aud` claim for the service account token
  1189. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1190. then this audiences will be appended to the list
  1191. items:
  1192. type: string
  1193. type: array
  1194. name:
  1195. description: The name of the ServiceAccount resource
  1196. being referred to.
  1197. maxLength: 253
  1198. minLength: 1
  1199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1200. type: string
  1201. namespace:
  1202. description: |-
  1203. Namespace of the resource being referred to.
  1204. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1205. maxLength: 63
  1206. minLength: 1
  1207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1208. type: string
  1209. required:
  1210. - name
  1211. type: object
  1212. type: object
  1213. secretRef:
  1214. description: |-
  1215. AWSAuthSecretRef holds secret references for AWS credentials
  1216. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1217. properties:
  1218. accessKeyIDSecretRef:
  1219. description: The AccessKeyID is used for authentication
  1220. properties:
  1221. key:
  1222. description: |-
  1223. A key in the referenced Secret.
  1224. Some instances of this field may be defaulted, in others it may be required.
  1225. maxLength: 253
  1226. minLength: 1
  1227. pattern: ^[-._a-zA-Z0-9]+$
  1228. type: string
  1229. name:
  1230. description: The name of the Secret resource being
  1231. referred to.
  1232. maxLength: 253
  1233. minLength: 1
  1234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1235. type: string
  1236. namespace:
  1237. description: |-
  1238. The namespace of the Secret resource being referred to.
  1239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1240. maxLength: 63
  1241. minLength: 1
  1242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1243. type: string
  1244. type: object
  1245. secretAccessKeySecretRef:
  1246. description: The SecretAccessKey is used for authentication
  1247. properties:
  1248. key:
  1249. description: |-
  1250. A key in the referenced Secret.
  1251. Some instances of this field may be defaulted, in others it may be required.
  1252. maxLength: 253
  1253. minLength: 1
  1254. pattern: ^[-._a-zA-Z0-9]+$
  1255. type: string
  1256. name:
  1257. description: The name of the Secret resource being
  1258. referred to.
  1259. maxLength: 253
  1260. minLength: 1
  1261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1262. type: string
  1263. namespace:
  1264. description: |-
  1265. The namespace of the Secret resource being referred to.
  1266. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1267. maxLength: 63
  1268. minLength: 1
  1269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1270. type: string
  1271. type: object
  1272. sessionTokenSecretRef:
  1273. description: |-
  1274. The SessionToken used for authentication
  1275. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  1276. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  1277. properties:
  1278. key:
  1279. description: |-
  1280. A key in the referenced Secret.
  1281. Some instances of this field may be defaulted, in others it may be required.
  1282. maxLength: 253
  1283. minLength: 1
  1284. pattern: ^[-._a-zA-Z0-9]+$
  1285. type: string
  1286. name:
  1287. description: The name of the Secret resource being
  1288. referred to.
  1289. maxLength: 253
  1290. minLength: 1
  1291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1292. type: string
  1293. namespace:
  1294. description: |-
  1295. The namespace of the Secret resource being referred to.
  1296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1297. maxLength: 63
  1298. minLength: 1
  1299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1300. type: string
  1301. type: object
  1302. type: object
  1303. type: object
  1304. region:
  1305. description: Region specifies the region to operate in.
  1306. type: string
  1307. requestParameters:
  1308. description: RequestParameters contains parameters that can
  1309. be passed to the STS service.
  1310. properties:
  1311. serialNumber:
  1312. description: |-
  1313. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  1314. the GetSessionToken call.
  1315. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  1316. (such as arn:aws:iam::123456789012:mfa/user)
  1317. type: string
  1318. sessionDuration:
  1319. format: int32
  1320. type: integer
  1321. tokenCode:
  1322. description: TokenCode is the value provided by the MFA
  1323. device, if MFA is required.
  1324. type: string
  1325. type: object
  1326. role:
  1327. description: |-
  1328. You can assume a role before making calls to the
  1329. desired AWS service.
  1330. type: string
  1331. required:
  1332. - region
  1333. type: object
  1334. uuidSpec:
  1335. description: UUIDSpec controls the behavior of the uuid generator.
  1336. type: object
  1337. vaultDynamicSecretSpec:
  1338. description: VaultDynamicSecretSpec defines the desired spec of
  1339. VaultDynamicSecret.
  1340. properties:
  1341. allowEmptyResponse:
  1342. default: false
  1343. description: Do not fail if no secrets are found. Useful for
  1344. requests where no data is expected.
  1345. type: boolean
  1346. controller:
  1347. description: |-
  1348. Used to select the correct ESO controller (think: ingress.ingressClassName)
  1349. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  1350. type: string
  1351. getParameters:
  1352. additionalProperties:
  1353. items:
  1354. type: string
  1355. type: array
  1356. description: |-
  1357. GetParameters are query-string parameters passed to Vault on GET calls.
  1358. Each key may map to multiple values, matching HTTP query-string semantics.
  1359. Ignored for non-GET methods; use Parameters for write bodies.
  1360. type: object
  1361. method:
  1362. description: Vault API method to use (GET/POST/other)
  1363. type: string
  1364. parameters:
  1365. description: Parameters to pass to Vault write (for non-GET
  1366. methods)
  1367. x-kubernetes-preserve-unknown-fields: true
  1368. path:
  1369. description: Vault path to obtain the dynamic secret from
  1370. type: string
  1371. provider:
  1372. description: Vault provider common spec
  1373. properties:
  1374. auth:
  1375. description: Auth configures how secret-manager authenticates
  1376. with the Vault server.
  1377. properties:
  1378. appRole:
  1379. description: |-
  1380. AppRole authenticates with Vault using the App Role auth mechanism,
  1381. with the role and secret stored in a Kubernetes Secret resource.
  1382. properties:
  1383. path:
  1384. default: approle
  1385. description: |-
  1386. Path where the App Role authentication backend is mounted
  1387. in Vault, e.g: "approle"
  1388. type: string
  1389. roleId:
  1390. description: |-
  1391. RoleID configured in the App Role authentication backend when setting
  1392. up the authentication backend in Vault.
  1393. type: string
  1394. roleRef:
  1395. description: |-
  1396. Reference to a key in a Secret that contains the App Role ID used
  1397. to authenticate with Vault.
  1398. The `key` field must be specified and denotes which entry within the Secret
  1399. resource is used as the app role id.
  1400. properties:
  1401. key:
  1402. description: |-
  1403. A key in the referenced Secret.
  1404. Some instances of this field may be defaulted, in others it may be required.
  1405. maxLength: 253
  1406. minLength: 1
  1407. pattern: ^[-._a-zA-Z0-9]+$
  1408. type: string
  1409. name:
  1410. description: The name of the Secret resource
  1411. being referred to.
  1412. maxLength: 253
  1413. minLength: 1
  1414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1415. type: string
  1416. namespace:
  1417. description: |-
  1418. The namespace of the Secret resource being referred to.
  1419. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1420. maxLength: 63
  1421. minLength: 1
  1422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1423. type: string
  1424. type: object
  1425. secretRef:
  1426. description: |-
  1427. Reference to a key in a Secret that contains the App Role secret used
  1428. to authenticate with Vault.
  1429. The `key` field must be specified and denotes which entry within the Secret
  1430. resource is used as the app role secret.
  1431. properties:
  1432. key:
  1433. description: |-
  1434. A key in the referenced Secret.
  1435. Some instances of this field may be defaulted, in others it may be required.
  1436. maxLength: 253
  1437. minLength: 1
  1438. pattern: ^[-._a-zA-Z0-9]+$
  1439. type: string
  1440. name:
  1441. description: The name of the Secret resource
  1442. being referred to.
  1443. maxLength: 253
  1444. minLength: 1
  1445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1446. type: string
  1447. namespace:
  1448. description: |-
  1449. The namespace of the Secret resource being referred to.
  1450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1451. maxLength: 63
  1452. minLength: 1
  1453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1454. type: string
  1455. type: object
  1456. required:
  1457. - path
  1458. - secretRef
  1459. type: object
  1460. cert:
  1461. description: |-
  1462. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  1463. Cert authentication method
  1464. properties:
  1465. clientCert:
  1466. description: |-
  1467. ClientCert is a certificate to authenticate using the Cert Vault
  1468. authentication method
  1469. properties:
  1470. key:
  1471. description: |-
  1472. A key in the referenced Secret.
  1473. Some instances of this field may be defaulted, in others it may be required.
  1474. maxLength: 253
  1475. minLength: 1
  1476. pattern: ^[-._a-zA-Z0-9]+$
  1477. type: string
  1478. name:
  1479. description: The name of the Secret resource
  1480. being referred to.
  1481. maxLength: 253
  1482. minLength: 1
  1483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1484. type: string
  1485. namespace:
  1486. description: |-
  1487. The namespace of the Secret resource being referred to.
  1488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1489. maxLength: 63
  1490. minLength: 1
  1491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1492. type: string
  1493. type: object
  1494. path:
  1495. default: cert
  1496. description: |-
  1497. Path where the Certificate authentication backend is mounted
  1498. in Vault, e.g: "cert"
  1499. type: string
  1500. secretRef:
  1501. description: |-
  1502. SecretRef to a key in a Secret resource containing client private key to
  1503. authenticate with Vault using the Cert authentication method
  1504. properties:
  1505. key:
  1506. description: |-
  1507. A key in the referenced Secret.
  1508. Some instances of this field may be defaulted, in others it may be required.
  1509. maxLength: 253
  1510. minLength: 1
  1511. pattern: ^[-._a-zA-Z0-9]+$
  1512. type: string
  1513. name:
  1514. description: The name of the Secret resource
  1515. being referred to.
  1516. maxLength: 253
  1517. minLength: 1
  1518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1519. type: string
  1520. namespace:
  1521. description: |-
  1522. The namespace of the Secret resource being referred to.
  1523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1524. maxLength: 63
  1525. minLength: 1
  1526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1527. type: string
  1528. type: object
  1529. vaultRole:
  1530. description: VaultRole specifies the Vault role
  1531. to use for TLS certificate authentication.
  1532. type: string
  1533. type: object
  1534. gcp:
  1535. description: |-
  1536. Gcp authenticates with Vault using Google Cloud Platform authentication method
  1537. GCP authentication method
  1538. properties:
  1539. location:
  1540. description: Location optionally defines a location/region
  1541. for the secret
  1542. type: string
  1543. path:
  1544. default: gcp
  1545. description: 'Path where the GCP auth method is
  1546. enabled in Vault, e.g: "gcp"'
  1547. type: string
  1548. projectID:
  1549. description: Project ID of the Google Cloud Platform
  1550. project
  1551. type: string
  1552. role:
  1553. description: Vault Role. In Vault, a role describes
  1554. an identity with a set of permissions, groups,
  1555. or policies you want to attach to a user of
  1556. the secrets engine.
  1557. type: string
  1558. secretRef:
  1559. description: Specify credentials in a Secret object
  1560. properties:
  1561. secretAccessKeySecretRef:
  1562. description: The SecretAccessKey is used for
  1563. authentication
  1564. properties:
  1565. key:
  1566. description: |-
  1567. A key in the referenced Secret.
  1568. Some instances of this field may be defaulted, in others it may be required.
  1569. maxLength: 253
  1570. minLength: 1
  1571. pattern: ^[-._a-zA-Z0-9]+$
  1572. type: string
  1573. name:
  1574. description: The name of the Secret resource
  1575. being referred to.
  1576. maxLength: 253
  1577. minLength: 1
  1578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1579. type: string
  1580. namespace:
  1581. description: |-
  1582. The namespace of the Secret resource being referred to.
  1583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1584. maxLength: 63
  1585. minLength: 1
  1586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1587. type: string
  1588. type: object
  1589. type: object
  1590. serviceAccountRef:
  1591. description: ServiceAccountRef to a service account
  1592. for impersonation
  1593. properties:
  1594. audiences:
  1595. description: |-
  1596. Audience specifies the `aud` claim for the service account token
  1597. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1598. then this audiences will be appended to the list
  1599. items:
  1600. type: string
  1601. type: array
  1602. name:
  1603. description: The name of the ServiceAccount
  1604. resource being referred to.
  1605. maxLength: 253
  1606. minLength: 1
  1607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1608. type: string
  1609. namespace:
  1610. description: |-
  1611. Namespace of the resource being referred to.
  1612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1613. maxLength: 63
  1614. minLength: 1
  1615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1616. type: string
  1617. required:
  1618. - name
  1619. type: object
  1620. workloadIdentity:
  1621. description: Specify a service account with Workload
  1622. Identity
  1623. properties:
  1624. clusterLocation:
  1625. description: |-
  1626. ClusterLocation is the location of the cluster
  1627. If not specified, it fetches information from the metadata server
  1628. type: string
  1629. clusterName:
  1630. description: |-
  1631. ClusterName is the name of the cluster
  1632. If not specified, it fetches information from the metadata server
  1633. type: string
  1634. clusterProjectID:
  1635. description: |-
  1636. ClusterProjectID is the project ID of the cluster
  1637. If not specified, it fetches information from the metadata server
  1638. type: string
  1639. serviceAccountRef:
  1640. description: ServiceAccountSelector is a reference
  1641. to a ServiceAccount resource.
  1642. properties:
  1643. audiences:
  1644. description: |-
  1645. Audience specifies the `aud` claim for the service account token
  1646. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1647. then this audiences will be appended to the list
  1648. items:
  1649. type: string
  1650. type: array
  1651. name:
  1652. description: The name of the ServiceAccount
  1653. resource being referred to.
  1654. maxLength: 253
  1655. minLength: 1
  1656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1657. type: string
  1658. namespace:
  1659. description: |-
  1660. Namespace of the resource being referred to.
  1661. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1662. maxLength: 63
  1663. minLength: 1
  1664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1665. type: string
  1666. required:
  1667. - name
  1668. type: object
  1669. required:
  1670. - serviceAccountRef
  1671. type: object
  1672. required:
  1673. - role
  1674. type: object
  1675. iam:
  1676. description: |-
  1677. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  1678. AWS IAM authentication method
  1679. properties:
  1680. externalID:
  1681. description: AWS External ID set on assumed IAM
  1682. roles
  1683. type: string
  1684. jwt:
  1685. description: Specify a service account with IRSA
  1686. enabled
  1687. properties:
  1688. serviceAccountRef:
  1689. description: ServiceAccountSelector is a reference
  1690. to a ServiceAccount resource.
  1691. properties:
  1692. audiences:
  1693. description: |-
  1694. Audience specifies the `aud` claim for the service account token
  1695. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1696. then this audiences will be appended to the list
  1697. items:
  1698. type: string
  1699. type: array
  1700. name:
  1701. description: The name of the ServiceAccount
  1702. resource being referred to.
  1703. maxLength: 253
  1704. minLength: 1
  1705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1706. type: string
  1707. namespace:
  1708. description: |-
  1709. Namespace of the resource being referred to.
  1710. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1711. maxLength: 63
  1712. minLength: 1
  1713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1714. type: string
  1715. required:
  1716. - name
  1717. type: object
  1718. type: object
  1719. path:
  1720. description: 'Path where the AWS auth method is
  1721. enabled in Vault, e.g: "aws"'
  1722. type: string
  1723. region:
  1724. description: AWS region
  1725. type: string
  1726. role:
  1727. description: This is the AWS role to be assumed
  1728. before talking to vault
  1729. type: string
  1730. secretRef:
  1731. description: Specify credentials in a Secret object
  1732. properties:
  1733. accessKeyIDSecretRef:
  1734. description: The AccessKeyID is used for authentication
  1735. properties:
  1736. key:
  1737. description: |-
  1738. A key in the referenced Secret.
  1739. Some instances of this field may be defaulted, in others it may be required.
  1740. maxLength: 253
  1741. minLength: 1
  1742. pattern: ^[-._a-zA-Z0-9]+$
  1743. type: string
  1744. name:
  1745. description: The name of the Secret resource
  1746. being referred to.
  1747. maxLength: 253
  1748. minLength: 1
  1749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1750. type: string
  1751. namespace:
  1752. description: |-
  1753. The namespace of the Secret resource being referred to.
  1754. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1755. maxLength: 63
  1756. minLength: 1
  1757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1758. type: string
  1759. type: object
  1760. secretAccessKeySecretRef:
  1761. description: The SecretAccessKey is used for
  1762. authentication
  1763. properties:
  1764. key:
  1765. description: |-
  1766. A key in the referenced Secret.
  1767. Some instances of this field may be defaulted, in others it may be required.
  1768. maxLength: 253
  1769. minLength: 1
  1770. pattern: ^[-._a-zA-Z0-9]+$
  1771. type: string
  1772. name:
  1773. description: The name of the Secret resource
  1774. being referred to.
  1775. maxLength: 253
  1776. minLength: 1
  1777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1778. type: string
  1779. namespace:
  1780. description: |-
  1781. The namespace of the Secret resource being referred to.
  1782. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1783. maxLength: 63
  1784. minLength: 1
  1785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1786. type: string
  1787. type: object
  1788. sessionTokenSecretRef:
  1789. description: |-
  1790. The SessionToken used for authentication
  1791. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  1792. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  1793. properties:
  1794. key:
  1795. description: |-
  1796. A key in the referenced Secret.
  1797. Some instances of this field may be defaulted, in others it may be required.
  1798. maxLength: 253
  1799. minLength: 1
  1800. pattern: ^[-._a-zA-Z0-9]+$
  1801. type: string
  1802. name:
  1803. description: The name of the Secret resource
  1804. being referred to.
  1805. maxLength: 253
  1806. minLength: 1
  1807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1808. type: string
  1809. namespace:
  1810. description: |-
  1811. The namespace of the Secret resource being referred to.
  1812. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1813. maxLength: 63
  1814. minLength: 1
  1815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1816. type: string
  1817. type: object
  1818. type: object
  1819. vaultAwsIamServerID:
  1820. description: 'X-Vault-AWS-IAM-Server-ID is an
  1821. additional header used by Vault IAM auth method
  1822. to mitigate against different types of replay
  1823. attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  1824. type: string
  1825. vaultRole:
  1826. description: Vault Role. In vault, a role describes
  1827. an identity with a set of permissions, groups,
  1828. or policies you want to attach a user of the
  1829. secrets engine
  1830. type: string
  1831. required:
  1832. - vaultRole
  1833. type: object
  1834. jwt:
  1835. description: |-
  1836. Jwt authenticates with Vault by passing role and JWT token using the
  1837. JWT/OIDC authentication method
  1838. properties:
  1839. kubernetesServiceAccountToken:
  1840. description: |-
  1841. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  1842. a token for with the `TokenRequest` API.
  1843. properties:
  1844. audiences:
  1845. description: |-
  1846. Optional audiences field that will be used to request a temporary Kubernetes service
  1847. account token for the service account referenced by `serviceAccountRef`.
  1848. Defaults to a single audience `vault` it not specified.
  1849. Deprecated: use serviceAccountRef.Audiences instead
  1850. items:
  1851. type: string
  1852. type: array
  1853. expirationSeconds:
  1854. description: |-
  1855. Optional expiration time in seconds that will be used to request a temporary
  1856. Kubernetes service account token for the service account referenced by
  1857. `serviceAccountRef`.
  1858. Deprecated: this will be removed in the future.
  1859. Defaults to 10 minutes.
  1860. format: int64
  1861. type: integer
  1862. serviceAccountRef:
  1863. description: Service account field containing
  1864. the name of a kubernetes ServiceAccount.
  1865. properties:
  1866. audiences:
  1867. description: |-
  1868. Audience specifies the `aud` claim for the service account token
  1869. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1870. then this audiences will be appended to the list
  1871. items:
  1872. type: string
  1873. type: array
  1874. name:
  1875. description: The name of the ServiceAccount
  1876. resource being referred to.
  1877. maxLength: 253
  1878. minLength: 1
  1879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1880. type: string
  1881. namespace:
  1882. description: |-
  1883. Namespace of the resource being referred to.
  1884. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1885. maxLength: 63
  1886. minLength: 1
  1887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1888. type: string
  1889. required:
  1890. - name
  1891. type: object
  1892. required:
  1893. - serviceAccountRef
  1894. type: object
  1895. path:
  1896. default: jwt
  1897. description: |-
  1898. Path where the JWT authentication backend is mounted
  1899. in Vault, e.g: "jwt"
  1900. type: string
  1901. role:
  1902. description: |-
  1903. Role is a JWT role to authenticate using the JWT/OIDC Vault
  1904. authentication method
  1905. type: string
  1906. secretRef:
  1907. description: |-
  1908. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1909. authenticate with Vault using the JWT/OIDC authentication method.
  1910. properties:
  1911. key:
  1912. description: |-
  1913. A key in the referenced Secret.
  1914. Some instances of this field may be defaulted, in others it may be required.
  1915. maxLength: 253
  1916. minLength: 1
  1917. pattern: ^[-._a-zA-Z0-9]+$
  1918. type: string
  1919. name:
  1920. description: The name of the Secret resource
  1921. being referred to.
  1922. maxLength: 253
  1923. minLength: 1
  1924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1925. type: string
  1926. namespace:
  1927. description: |-
  1928. The namespace of the Secret resource being referred to.
  1929. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1930. maxLength: 63
  1931. minLength: 1
  1932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1933. type: string
  1934. type: object
  1935. required:
  1936. - path
  1937. type: object
  1938. kubernetes:
  1939. description: |-
  1940. Kubernetes authenticates with Vault by passing the ServiceAccount
  1941. token stored in the named Secret resource to the Vault server.
  1942. properties:
  1943. mountPath:
  1944. default: kubernetes
  1945. description: |-
  1946. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  1947. "kubernetes"
  1948. type: string
  1949. role:
  1950. description: |-
  1951. A required field containing the Vault Role to assume. A Role binds a
  1952. Kubernetes ServiceAccount with a set of Vault policies.
  1953. type: string
  1954. secretRef:
  1955. description: |-
  1956. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1957. for authenticating with Vault. If a name is specified without a key,
  1958. `token` is the default. If one is not specified, the one bound to
  1959. the controller will be used.
  1960. properties:
  1961. key:
  1962. description: |-
  1963. A key in the referenced Secret.
  1964. Some instances of this field may be defaulted, in others it may be required.
  1965. maxLength: 253
  1966. minLength: 1
  1967. pattern: ^[-._a-zA-Z0-9]+$
  1968. type: string
  1969. name:
  1970. description: The name of the Secret resource
  1971. being referred to.
  1972. maxLength: 253
  1973. minLength: 1
  1974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1975. type: string
  1976. namespace:
  1977. description: |-
  1978. The namespace of the Secret resource being referred to.
  1979. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1980. maxLength: 63
  1981. minLength: 1
  1982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1983. type: string
  1984. type: object
  1985. serviceAccountRef:
  1986. description: |-
  1987. Optional service account field containing the name of a kubernetes ServiceAccount.
  1988. If the service account is specified, the service account secret token JWT will be used
  1989. for authenticating with Vault. If the service account selector is not supplied,
  1990. the secretRef will be used instead.
  1991. properties:
  1992. audiences:
  1993. description: |-
  1994. Audience specifies the `aud` claim for the service account token
  1995. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1996. then this audiences will be appended to the list
  1997. items:
  1998. type: string
  1999. type: array
  2000. name:
  2001. description: The name of the ServiceAccount
  2002. resource being referred to.
  2003. maxLength: 253
  2004. minLength: 1
  2005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2006. type: string
  2007. namespace:
  2008. description: |-
  2009. Namespace of the resource being referred to.
  2010. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2011. maxLength: 63
  2012. minLength: 1
  2013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2014. type: string
  2015. required:
  2016. - name
  2017. type: object
  2018. required:
  2019. - mountPath
  2020. - role
  2021. type: object
  2022. ldap:
  2023. description: |-
  2024. Ldap authenticates with Vault by passing username/password pair using
  2025. the LDAP authentication method
  2026. properties:
  2027. path:
  2028. default: ldap
  2029. description: |-
  2030. Path where the LDAP authentication backend is mounted
  2031. in Vault, e.g: "ldap"
  2032. type: string
  2033. secretRef:
  2034. description: |-
  2035. SecretRef to a key in a Secret resource containing password for the LDAP
  2036. user used to authenticate with Vault using the LDAP authentication
  2037. method
  2038. properties:
  2039. key:
  2040. description: |-
  2041. A key in the referenced Secret.
  2042. Some instances of this field may be defaulted, in others it may be required.
  2043. maxLength: 253
  2044. minLength: 1
  2045. pattern: ^[-._a-zA-Z0-9]+$
  2046. type: string
  2047. name:
  2048. description: The name of the Secret resource
  2049. being referred to.
  2050. maxLength: 253
  2051. minLength: 1
  2052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2053. type: string
  2054. namespace:
  2055. description: |-
  2056. The namespace of the Secret resource being referred to.
  2057. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2058. maxLength: 63
  2059. minLength: 1
  2060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2061. type: string
  2062. type: object
  2063. username:
  2064. description: |-
  2065. Username is an LDAP username used to authenticate using the LDAP Vault
  2066. authentication method
  2067. type: string
  2068. required:
  2069. - path
  2070. - username
  2071. type: object
  2072. namespace:
  2073. description: |-
  2074. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  2075. Namespaces is a set of features within Vault Enterprise that allows
  2076. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  2077. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  2078. This will default to Vault.Namespace field if set, or empty otherwise
  2079. type: string
  2080. tokenSecretRef:
  2081. description: TokenSecretRef authenticates with Vault
  2082. by presenting a token.
  2083. properties:
  2084. key:
  2085. description: |-
  2086. A key in the referenced Secret.
  2087. Some instances of this field may be defaulted, in others it may be required.
  2088. maxLength: 253
  2089. minLength: 1
  2090. pattern: ^[-._a-zA-Z0-9]+$
  2091. type: string
  2092. name:
  2093. description: The name of the Secret resource being
  2094. referred to.
  2095. maxLength: 253
  2096. minLength: 1
  2097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2098. type: string
  2099. namespace:
  2100. description: |-
  2101. The namespace of the Secret resource being referred to.
  2102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2103. maxLength: 63
  2104. minLength: 1
  2105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2106. type: string
  2107. type: object
  2108. userPass:
  2109. description: UserPass authenticates with Vault by
  2110. passing username/password pair
  2111. properties:
  2112. path:
  2113. default: userpass
  2114. description: |-
  2115. Path where the UserPassword authentication backend is mounted
  2116. in Vault, e.g: "userpass"
  2117. type: string
  2118. secretRef:
  2119. description: |-
  2120. SecretRef to a key in a Secret resource containing password for the
  2121. user used to authenticate with Vault using the UserPass authentication
  2122. method
  2123. properties:
  2124. key:
  2125. description: |-
  2126. A key in the referenced Secret.
  2127. Some instances of this field may be defaulted, in others it may be required.
  2128. maxLength: 253
  2129. minLength: 1
  2130. pattern: ^[-._a-zA-Z0-9]+$
  2131. type: string
  2132. name:
  2133. description: The name of the Secret resource
  2134. being referred to.
  2135. maxLength: 253
  2136. minLength: 1
  2137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2138. type: string
  2139. namespace:
  2140. description: |-
  2141. The namespace of the Secret resource being referred to.
  2142. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2143. maxLength: 63
  2144. minLength: 1
  2145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2146. type: string
  2147. type: object
  2148. username:
  2149. description: |-
  2150. Username is a username used to authenticate using the UserPass Vault
  2151. authentication method
  2152. type: string
  2153. required:
  2154. - path
  2155. - username
  2156. type: object
  2157. type: object
  2158. caBundle:
  2159. description: |-
  2160. PEM encoded CA bundle used to validate Vault server certificate. Only used
  2161. if the Server URL is using HTTPS protocol. This parameter is ignored for
  2162. plain HTTP protocol connection. If not set the system root certificates
  2163. are used to validate the TLS connection.
  2164. format: byte
  2165. type: string
  2166. caProvider:
  2167. description: The provider for the CA bundle to use to
  2168. validate Vault server certificate.
  2169. properties:
  2170. key:
  2171. description: The key where the CA certificate can
  2172. be found in the Secret or ConfigMap.
  2173. maxLength: 253
  2174. minLength: 1
  2175. pattern: ^[-._a-zA-Z0-9]+$
  2176. type: string
  2177. name:
  2178. description: The name of the object located at the
  2179. provider type.
  2180. maxLength: 253
  2181. minLength: 1
  2182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2183. type: string
  2184. namespace:
  2185. description: |-
  2186. The namespace the Provider type is in.
  2187. Can only be defined when used in a ClusterSecretStore.
  2188. maxLength: 63
  2189. minLength: 1
  2190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2191. type: string
  2192. type:
  2193. description: The type of provider to use such as "Secret",
  2194. or "ConfigMap".
  2195. enum:
  2196. - Secret
  2197. - ConfigMap
  2198. type: string
  2199. required:
  2200. - name
  2201. - type
  2202. type: object
  2203. checkAndSet:
  2204. description: |-
  2205. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  2206. Only applies to Vault KV v2 stores. When enabled, write operations must include
  2207. the current version of the secret to prevent unintentional overwrites.
  2208. properties:
  2209. required:
  2210. description: |-
  2211. Required when true, all write operations must include a check-and-set parameter.
  2212. This helps prevent unintentional overwrites of secrets.
  2213. type: boolean
  2214. type: object
  2215. forwardInconsistent:
  2216. description: |-
  2217. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  2218. leader instead of simply retrying within a loop. This can increase performance if
  2219. the option is enabled serverside.
  2220. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2221. type: boolean
  2222. headers:
  2223. additionalProperties:
  2224. type: string
  2225. description: Headers to be added in Vault request
  2226. type: object
  2227. namespace:
  2228. description: |-
  2229. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  2230. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  2231. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  2232. type: string
  2233. path:
  2234. description: |-
  2235. Path is the mount path of the Vault KV backend endpoint, e.g:
  2236. "secret". The v2 KV secret engine version specific "/data" path suffix
  2237. for fetching secrets from Vault is optional and will be appended
  2238. if not present in specified path.
  2239. type: string
  2240. readYourWrites:
  2241. description: |-
  2242. ReadYourWrites ensures isolated read-after-write semantics by
  2243. providing discovered cluster replication states in each request.
  2244. More information about eventual consistency in Vault can be found here
  2245. https://www.vaultproject.io/docs/enterprise/consistency
  2246. type: boolean
  2247. server:
  2248. description: 'Server is the connection address for the
  2249. Vault server, e.g: "https://vault.example.com:8200".'
  2250. type: string
  2251. tls:
  2252. description: |-
  2253. The configuration used for client side related TLS communication, when the Vault server
  2254. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  2255. This parameter is ignored for plain HTTP protocol connection.
  2256. It's worth noting this configuration is different from the "TLS certificates auth method",
  2257. which is available under the `auth.cert` section.
  2258. properties:
  2259. certSecretRef:
  2260. description: |-
  2261. CertSecretRef is a certificate added to the transport layer
  2262. when communicating with the Vault server.
  2263. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  2264. properties:
  2265. key:
  2266. description: |-
  2267. A key in the referenced Secret.
  2268. Some instances of this field may be defaulted, in others it may be required.
  2269. maxLength: 253
  2270. minLength: 1
  2271. pattern: ^[-._a-zA-Z0-9]+$
  2272. type: string
  2273. name:
  2274. description: The name of the Secret resource being
  2275. referred to.
  2276. maxLength: 253
  2277. minLength: 1
  2278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2279. type: string
  2280. namespace:
  2281. description: |-
  2282. The namespace of the Secret resource being referred to.
  2283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2284. maxLength: 63
  2285. minLength: 1
  2286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2287. type: string
  2288. type: object
  2289. keySecretRef:
  2290. description: |-
  2291. KeySecretRef to a key in a Secret resource containing client private key
  2292. added to the transport layer when communicating with the Vault server.
  2293. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  2294. properties:
  2295. key:
  2296. description: |-
  2297. A key in the referenced Secret.
  2298. Some instances of this field may be defaulted, in others it may be required.
  2299. maxLength: 253
  2300. minLength: 1
  2301. pattern: ^[-._a-zA-Z0-9]+$
  2302. type: string
  2303. name:
  2304. description: The name of the Secret resource being
  2305. referred to.
  2306. maxLength: 253
  2307. minLength: 1
  2308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2309. type: string
  2310. namespace:
  2311. description: |-
  2312. The namespace of the Secret resource being referred to.
  2313. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2314. maxLength: 63
  2315. minLength: 1
  2316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2317. type: string
  2318. type: object
  2319. type: object
  2320. version:
  2321. default: v2
  2322. description: |-
  2323. Version is the Vault KV secret engine version. This can be either "v1" or
  2324. "v2". Version defaults to "v2".
  2325. enum:
  2326. - v1
  2327. - v2
  2328. type: string
  2329. required:
  2330. - server
  2331. type: object
  2332. resultType:
  2333. default: Data
  2334. description: |-
  2335. Result type defines which data is returned from the generator.
  2336. By default, it is the "data" section of the Vault API response.
  2337. When using e.g. /auth/token/create the "data" section is empty but
  2338. the "auth" section contains the generated token.
  2339. Please refer to the vault docs regarding the result data structure.
  2340. Additionally, accessing the raw response is possibly by using "Raw" result type.
  2341. enum:
  2342. - Data
  2343. - Auth
  2344. - Raw
  2345. type: string
  2346. retrySettings:
  2347. description: Used to configure http retries if failed
  2348. properties:
  2349. maxRetries:
  2350. format: int32
  2351. type: integer
  2352. retryInterval:
  2353. type: string
  2354. type: object
  2355. required:
  2356. - path
  2357. - provider
  2358. type: object
  2359. webhookSpec:
  2360. description: WebhookSpec controls the behavior of the external
  2361. generator. Any body parameters should be passed to the server
  2362. through the parameters field.
  2363. properties:
  2364. auth:
  2365. description: Auth specifies a authorization protocol. Only
  2366. one protocol may be set.
  2367. maxProperties: 1
  2368. minProperties: 1
  2369. properties:
  2370. ntlm:
  2371. description: NTLMProtocol configures the store to use
  2372. NTLM for auth
  2373. properties:
  2374. passwordSecret:
  2375. description: |-
  2376. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2377. In some instances, `key` is a required field.
  2378. properties:
  2379. key:
  2380. description: |-
  2381. A key in the referenced Secret.
  2382. Some instances of this field may be defaulted, in others it may be required.
  2383. maxLength: 253
  2384. minLength: 1
  2385. pattern: ^[-._a-zA-Z0-9]+$
  2386. type: string
  2387. name:
  2388. description: The name of the Secret resource being
  2389. referred to.
  2390. maxLength: 253
  2391. minLength: 1
  2392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2393. type: string
  2394. namespace:
  2395. description: |-
  2396. The namespace of the Secret resource being referred to.
  2397. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2398. maxLength: 63
  2399. minLength: 1
  2400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2401. type: string
  2402. type: object
  2403. usernameSecret:
  2404. description: |-
  2405. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2406. In some instances, `key` is a required field.
  2407. properties:
  2408. key:
  2409. description: |-
  2410. A key in the referenced Secret.
  2411. Some instances of this field may be defaulted, in others it may be required.
  2412. maxLength: 253
  2413. minLength: 1
  2414. pattern: ^[-._a-zA-Z0-9]+$
  2415. type: string
  2416. name:
  2417. description: The name of the Secret resource being
  2418. referred to.
  2419. maxLength: 253
  2420. minLength: 1
  2421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2422. type: string
  2423. namespace:
  2424. description: |-
  2425. The namespace of the Secret resource being referred to.
  2426. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2427. maxLength: 63
  2428. minLength: 1
  2429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2430. type: string
  2431. type: object
  2432. required:
  2433. - passwordSecret
  2434. - usernameSecret
  2435. type: object
  2436. type: object
  2437. body:
  2438. description: Body
  2439. type: string
  2440. caBundle:
  2441. description: |-
  2442. PEM encoded CA bundle used to validate webhook server certificate. Only used
  2443. if the Server URL is using HTTPS protocol. This parameter is ignored for
  2444. plain HTTP protocol connection. If not set the system root certificates
  2445. are used to validate the TLS connection.
  2446. format: byte
  2447. type: string
  2448. caProvider:
  2449. description: The provider for the CA bundle to use to validate
  2450. webhook server certificate.
  2451. properties:
  2452. key:
  2453. description: The key where the CA certificate can be found
  2454. in the Secret or ConfigMap.
  2455. maxLength: 253
  2456. minLength: 1
  2457. pattern: ^[-._a-zA-Z0-9]+$
  2458. type: string
  2459. name:
  2460. description: The name of the object located at the provider
  2461. type.
  2462. maxLength: 253
  2463. minLength: 1
  2464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2465. type: string
  2466. namespace:
  2467. description: The namespace the Provider type is in.
  2468. maxLength: 63
  2469. minLength: 1
  2470. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2471. type: string
  2472. type:
  2473. description: The type of provider to use such as "Secret",
  2474. or "ConfigMap".
  2475. enum:
  2476. - Secret
  2477. - ConfigMap
  2478. type: string
  2479. required:
  2480. - name
  2481. - type
  2482. type: object
  2483. headers:
  2484. additionalProperties:
  2485. type: string
  2486. description: Headers
  2487. type: object
  2488. method:
  2489. description: Webhook Method
  2490. type: string
  2491. result:
  2492. description: Result formatting
  2493. properties:
  2494. jsonPath:
  2495. description: Json path of return value
  2496. type: string
  2497. type: object
  2498. secrets:
  2499. description: |-
  2500. Secrets to fill in templates
  2501. These secrets will be passed to the templating function as key value pairs under the given name
  2502. items:
  2503. description: WebhookSecret defines a secret reference that
  2504. will be used in webhook templates.
  2505. properties:
  2506. name:
  2507. description: Name of this secret in templates
  2508. type: string
  2509. secretRef:
  2510. description: Secret ref to fill in credentials
  2511. properties:
  2512. key:
  2513. description: The key where the token is found.
  2514. maxLength: 253
  2515. minLength: 1
  2516. pattern: ^[-._a-zA-Z0-9]+$
  2517. type: string
  2518. name:
  2519. description: The name of the Secret resource being
  2520. referred to.
  2521. maxLength: 253
  2522. minLength: 1
  2523. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2524. type: string
  2525. type: object
  2526. required:
  2527. - name
  2528. - secretRef
  2529. type: object
  2530. type: array
  2531. timeout:
  2532. description: Timeout
  2533. type: string
  2534. url:
  2535. description: Webhook url to call
  2536. type: string
  2537. required:
  2538. - result
  2539. - url
  2540. type: object
  2541. type: object
  2542. kind:
  2543. description: Kind the kind of this generator.
  2544. enum:
  2545. - ACRAccessToken
  2546. - BeyondtrustWorkloadCredentialsDynamicSecret
  2547. - CloudsmithAccessToken
  2548. - ECRAuthorizationToken
  2549. - Fake
  2550. - GCRAccessToken
  2551. - GithubAccessToken
  2552. - QuayAccessToken
  2553. - Password
  2554. - SSHKey
  2555. - STSSessionToken
  2556. - UUID
  2557. - VaultDynamicSecret
  2558. - Webhook
  2559. - Grafana
  2560. - MFA
  2561. type: string
  2562. required:
  2563. - generator
  2564. - kind
  2565. type: object
  2566. type: object
  2567. served: true
  2568. storage: true
  2569. subresources:
  2570. status: {}