helm-external-secrets/config/crds/bases/generators.external-secrets.io_beyondtrustworkloadcredentialsdynamicsecrets.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.19.0
  labels:
    external-secrets.io/component: controller
  name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
spec:
  group: generators.external-secrets.io
  names:
    categories:
    - external-secrets
    - external-secrets-generators
    kind: BeyondtrustWorkloadCredentialsDynamicSecret
    listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
    plural: beyondtrustworkloadcredentialsdynamicsecrets
    singular: beyondtrustworkloadcredentialsdynamicsecret
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: |-
          BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
          This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
          (such as AWS STS credentials) each time an ExternalSecret is refreshed.
          Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
          For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: |-
              BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
              This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
              For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
            properties:
              controller:
                description: |-
                  Controller selects the controller that should handle this generator.
                  Leave empty to use the default controller.
                type: string
              provider:
                description: |-
                  Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
                  server connection details, and the folder path to the dynamic secret definition.
                  The folderPath should point to a dynamic secret definition that has been created in
                  BeyondTrust Workload Credentials (e.g., "production/aws-temp").
                  For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
                properties:
                  auth:
                    description: |-
                      Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
                      Currently supports API key authentication via Kubernetes secret reference.
                      For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
                    properties:
                      apikey:
                        description: |-
                          APIKey configures API token authentication for BeyondTrust Workload Credentials.
                          The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
                        properties:
                          token:
                            description: |-
                              Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
                              The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
                              Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
                              For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - token
                        type: object
                    required:
                    - apikey
                    type: object
                  caBundle:
                    description: |-
                      CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
                      Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
                      If not set, the system's trusted root certificates are used.
                    format: byte
                    type: string
                  caProvider:
                    description: |-
                      CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
                      This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
                      Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
                    properties:
                      key:
                        description: The key where the CA certificate can be found
                          in the Secret or ConfigMap.
                        maxLength: 253
                        minLength: 1
                        pattern: ^[-._a-zA-Z0-9]+$
                        type: string
                      name:
                        description: The name of the object located at the provider
                          type.
                        maxLength: 253
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                        type: string
                      namespace:
                        description: |-
                          The namespace the Provider type is in.
                          Can only be defined when used in a ClusterSecretStore.
                        maxLength: 63
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                        type: string
                      type:
                        description: The type of provider to use such as "Secret",
                          or "ConfigMap".
                        enum:
                        - Secret
                        - ConfigMap
                        type: string
                    required:
                    - name
                    - type
                    type: object
                  folderPath:
                    description: |-
                      FolderPath specifies the default folder path for secret retrieval.
                      Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
                      Example: "production/database" or "dev/api-keys"
                      Leave empty to retrieve secrets from the root folder.
                      For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
                    type: string
                  server:
                    description: |-
                      Server configures the BeyondTrust Workload Credentials server connection details.
                      Includes the API URL and Site ID for your BeyondTrust instance.
                      For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
                    properties:
                      apiUrl:
                        description: |-
                          APIURL is the base URL of your BeyondTrust Workload Credentials API server.
                          This should be the full URL to your BeyondTrust instance.
                          Example: https://api.beyondtrust.io/siie
                          For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
                        type: string
                      siteId:
                        description: |-
                          SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
                          This identifier is unique to your BeyondTrust Workload Credentials instance.
                          You can find your Site ID in the BeyondTrust Workload Credentials admin console.
                          Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
                          For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
                        type: string
                    required:
                    - apiUrl
                    - siteId
                    type: object
                required:
                - auth
                - server
                type: object
              retrySettings:
                description: |-
                  RetrySettings configures exponential backoff for failed API requests.
                  If not specified, uses the default retry settings.
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}