bundle.yaml 1.8 MB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451845284538454845584568457845884598460846184628463846484658466846784688469847084718472847384748475847684778478847984808481848284838484848584868487848884898490849184928493849484958496849784988499850085018502850385048505850685078508850985108511851285138514851585168517851885198520852185228523852485258526852785288529853085318532853385348535853685378538853985408541854285438544854585468547854885498550855185528553855485558556855785588559856085618562856385648565856685678568856985708571857285738574857585768577857885798580858185828583858485858586858785888589859085918592859385948595859685978598859986008601860286038604860586068607860886098610861186128613861486158616861786188619862086218622862386248625862686278628862986308631863286338634863586368637863886398640864186428643864486458646864786488649865086518652865386548655865686578658865986608661866286638664866586668667866886698670867186728673867486758676867786788679868086818682868386848685868686878688868986908691869286938694869586968697869886998700870187028703870487058706870787088709871087118712871387148715871687178718871987208721872287238724872587268727872887298730873187328733873487358736873787388739874087418742874387448745874687478748874987508751875287538754875587568757875887598760876187628763876487658766876787688769877087718772877387748775877687778778877987808781878287838784878587868787878887898790879187928793879487958796879787988799880088018802880388048805880688078808880988108811881288138814881588168817881888198820882188228823882488258826882788288829883088318832883388348835883688378838883988408841884288438844884588468847884888498850885188528853885488558856885788588859886088618862886388648865886688678868886988708871887288738874887588768877887888798880888188828883888488858886888788888889889088918892889388948895889688978898889989008901890289038904890589068907890889098910891189128913891489158916891789188919892089218922892389248925892689278928892989308931893289338934893589368937893889398940894189428943894489458946894789488949895089518952895389548955895689578958895989608961896289638964896589668967896889698970897189728973897489758976897789788979898089818982898389848985898689878988898989908991899289938994899589968997899889999000900190029003900490059006900790089009901090119012901390149015901690179018901990209021902290239024902590269027902890299030903190329033903490359036903790389039904090419042904390449045904690479048904990509051905290539054905590569057905890599060906190629063906490659066906790689069907090719072907390749075907690779078907990809081908290839084908590869087908890899090909190929093909490959096909790989099910091019102910391049105910691079108910991109111911291139114911591169117911891199120912191229123912491259126912791289129913091319132913391349135913691379138913991409141914291439144914591469147914891499150915191529153915491559156915791589159916091619162916391649165916691679168916991709171917291739174917591769177917891799180918191829183918491859186918791889189919091919192919391949195919691979198919992009201920292039204920592069207920892099210921192129213921492159216921792189219922092219222922392249225922692279228922992309231923292339234923592369237923892399240924192429243924492459246924792489249925092519252925392549255925692579258925992609261926292639264926592669267926892699270927192729273927492759276927792789279928092819282928392849285928692879288928992909291929292939294929592969297929892999300930193029303930493059306930793089309931093119312931393149315931693179318931993209321932293239324932593269327932893299330933193329333933493359336933793389339934093419342934393449345934693479348934993509351935293539354935593569357935893599360936193629363936493659366936793689369937093719372937393749375937693779378937993809381938293839384938593869387938893899390939193929393939493959396939793989399940094019402940394049405940694079408940994109411941294139414941594169417941894199420942194229423942494259426942794289429943094319432943394349435943694379438943994409441944294439444944594469447944894499450945194529453945494559456945794589459946094619462946394649465946694679468946994709471947294739474947594769477947894799480948194829483948494859486948794889489949094919492949394949495949694979498949995009501950295039504950595069507950895099510951195129513951495159516951795189519952095219522952395249525952695279528952995309531953295339534953595369537953895399540954195429543954495459546954795489549955095519552955395549555955695579558955995609561956295639564956595669567956895699570957195729573957495759576957795789579958095819582958395849585958695879588958995909591959295939594959595969597959895999600960196029603960496059606960796089609961096119612961396149615961696179618961996209621962296239624962596269627962896299630963196329633963496359636963796389639964096419642964396449645964696479648964996509651965296539654965596569657965896599660966196629663966496659666966796689669967096719672967396749675967696779678967996809681968296839684968596869687968896899690969196929693969496959696969796989699970097019702970397049705970697079708970997109711971297139714971597169717971897199720972197229723972497259726972797289729973097319732973397349735973697379738973997409741974297439744974597469747974897499750975197529753975497559756975797589759976097619762976397649765976697679768976997709771977297739774977597769777977897799780978197829783978497859786978797889789979097919792979397949795979697979798979998009801980298039804980598069807980898099810981198129813981498159816981798189819982098219822982398249825982698279828982998309831983298339834983598369837983898399840984198429843984498459846984798489849985098519852985398549855985698579858985998609861986298639864986598669867986898699870987198729873987498759876987798789879988098819882988398849885988698879888988998909891989298939894989598969897989898999900990199029903990499059906990799089909991099119912991399149915991699179918991999209921992299239924992599269927992899299930993199329933993499359936993799389939994099419942994399449945994699479948994999509951995299539954995599569957995899599960996199629963996499659966996799689969997099719972997399749975997699779978997999809981998299839984998599869987998899899990999199929993999499959996999799989999100001000110002100031000410005100061000710008100091001010011100121001310014100151001610017100181001910020100211002210023100241002510026100271002810029100301003110032100331003410035100361003710038100391004010041100421004310044100451004610047100481004910050100511005210053100541005510056100571005810059100601006110062100631006410065100661006710068100691007010071100721007310074100751007610077100781007910080100811008210083100841008510086100871008810089100901009110092100931009410095100961009710098100991010010101101021010310104101051010610107101081010910110101111011210113101141011510116101171011810119101201012110122101231012410125101261012710128101291013010131101321013310134101351013610137101381013910140101411014210143101441014510146101471014810149101501015110152101531015410155101561015710158101591016010161101621016310164101651016610167101681016910170101711017210173101741017510176101771017810179101801018110182101831018410185101861018710188101891019010191101921019310194101951019610197101981019910200102011020210203102041020510206102071020810209102101021110212102131021410215102161021710218102191022010221102221022310224102251022610227102281022910230102311023210233102341023510236102371023810239102401024110242102431024410245102461024710248102491025010251102521025310254102551025610257102581025910260102611026210263102641026510266102671026810269102701027110272102731027410275102761027710278102791028010281102821028310284102851028610287102881028910290102911029210293102941029510296102971029810299103001030110302103031030410305103061030710308103091031010311103121031310314103151031610317103181031910320103211032210323103241032510326103271032810329103301033110332103331033410335103361033710338103391034010341103421034310344103451034610347103481034910350103511035210353103541035510356103571035810359103601036110362103631036410365103661036710368103691037010371103721037310374103751037610377103781037910380103811038210383103841038510386103871038810389103901039110392103931039410395103961039710398103991040010401104021040310404104051040610407104081040910410104111041210413104141041510416104171041810419104201042110422104231042410425104261042710428104291043010431104321043310434104351043610437104381043910440104411044210443104441044510446104471044810449104501045110452104531045410455104561045710458104591046010461104621046310464104651046610467104681046910470104711047210473104741047510476104771047810479104801048110482104831048410485104861048710488104891049010491104921049310494104951049610497104981049910500105011050210503105041050510506105071050810509105101051110512105131051410515105161051710518105191052010521105221052310524105251052610527105281052910530105311053210533105341053510536105371053810539105401054110542105431054410545105461054710548105491055010551105521055310554105551055610557105581055910560105611056210563105641056510566105671056810569105701057110572105731057410575105761057710578105791058010581105821058310584105851058610587105881058910590105911059210593105941059510596105971059810599106001060110602106031060410605106061060710608106091061010611106121061310614106151061610617106181061910620106211062210623106241062510626106271062810629106301063110632106331063410635106361063710638106391064010641106421064310644106451064610647106481064910650106511065210653106541065510656106571065810659106601066110662106631066410665106661066710668106691067010671106721067310674106751067610677106781067910680106811068210683106841068510686106871068810689106901069110692106931069410695106961069710698106991070010701107021070310704107051070610707107081070910710107111071210713107141071510716107171071810719107201072110722107231072410725107261072710728107291073010731107321073310734107351073610737107381073910740107411074210743107441074510746107471074810749107501075110752107531075410755107561075710758107591076010761107621076310764107651076610767107681076910770107711077210773107741077510776107771077810779107801078110782107831078410785107861078710788107891079010791107921079310794107951079610797107981079910800108011080210803108041080510806108071080810809108101081110812108131081410815108161081710818108191082010821108221082310824108251082610827108281082910830108311083210833108341083510836108371083810839108401084110842108431084410845108461084710848108491085010851108521085310854108551085610857108581085910860108611086210863108641086510866108671086810869108701087110872108731087410875108761087710878108791088010881108821088310884108851088610887108881088910890108911089210893108941089510896108971089810899109001090110902109031090410905109061090710908109091091010911109121091310914109151091610917109181091910920109211092210923109241092510926109271092810929109301093110932109331093410935109361093710938109391094010941109421094310944109451094610947109481094910950109511095210953109541095510956109571095810959109601096110962109631096410965109661096710968109691097010971109721097310974109751097610977109781097910980109811098210983109841098510986109871098810989109901099110992109931099410995109961099710998109991100011001110021100311004110051100611007110081100911010110111101211013110141101511016110171101811019110201102111022110231102411025110261102711028110291103011031110321103311034110351103611037110381103911040110411104211043110441104511046110471104811049110501105111052110531105411055110561105711058110591106011061110621106311064110651106611067110681106911070110711107211073110741107511076110771107811079110801108111082110831108411085110861108711088110891109011091110921109311094110951109611097110981109911100111011110211103111041110511106111071110811109111101111111112111131111411115111161111711118111191112011121111221112311124111251112611127111281112911130111311113211133111341113511136111371113811139111401114111142111431114411145111461114711148111491115011151111521115311154111551115611157111581115911160111611116211163111641116511166111671116811169111701117111172111731117411175111761117711178111791118011181111821118311184111851118611187111881118911190111911119211193111941119511196111971119811199112001120111202112031120411205112061120711208112091121011211112121121311214112151121611217112181121911220112211122211223112241122511226112271122811229112301123111232112331123411235112361123711238112391124011241112421124311244112451124611247112481124911250112511125211253112541125511256112571125811259112601126111262112631126411265112661126711268112691127011271112721127311274112751127611277112781127911280112811128211283112841128511286112871128811289112901129111292112931129411295112961129711298112991130011301113021130311304113051130611307113081130911310113111131211313113141131511316113171131811319113201132111322113231132411325113261132711328113291133011331113321133311334113351133611337113381133911340113411134211343113441134511346113471134811349113501135111352113531135411355113561135711358113591136011361113621136311364113651136611367113681136911370113711137211373113741137511376113771137811379113801138111382113831138411385113861138711388113891139011391113921139311394113951139611397113981139911400114011140211403114041140511406114071140811409114101141111412114131141411415114161141711418114191142011421114221142311424114251142611427114281142911430114311143211433114341143511436114371143811439114401144111442114431144411445114461144711448114491145011451114521145311454114551145611457114581145911460114611146211463114641146511466114671146811469114701147111472114731147411475114761147711478114791148011481114821148311484114851148611487114881148911490114911149211493114941149511496114971149811499115001150111502115031150411505115061150711508115091151011511115121151311514115151151611517115181151911520115211152211523115241152511526115271152811529115301153111532115331153411535115361153711538115391154011541115421154311544115451154611547115481154911550115511155211553115541155511556115571155811559115601156111562115631156411565115661156711568115691157011571115721157311574115751157611577115781157911580115811158211583115841158511586115871158811589115901159111592115931159411595115961159711598115991160011601116021160311604116051160611607116081160911610116111161211613116141161511616116171161811619116201162111622116231162411625116261162711628116291163011631116321163311634116351163611637116381163911640116411164211643116441164511646116471164811649116501165111652116531165411655116561165711658116591166011661116621166311664116651166611667116681166911670116711167211673116741167511676116771167811679116801168111682116831168411685116861168711688116891169011691116921169311694116951169611697116981169911700117011170211703117041170511706117071170811709117101171111712117131171411715117161171711718117191172011721117221172311724117251172611727117281172911730117311173211733117341173511736117371173811739117401174111742117431174411745117461174711748117491175011751117521175311754117551175611757117581175911760117611176211763117641176511766117671176811769117701177111772117731177411775117761177711778117791178011781117821178311784117851178611787117881178911790117911179211793117941179511796117971179811799118001180111802118031180411805118061180711808118091181011811118121181311814118151181611817118181181911820118211182211823118241182511826118271182811829118301183111832118331183411835118361183711838118391184011841118421184311844118451184611847118481184911850118511185211853118541185511856118571185811859118601186111862118631186411865118661186711868118691187011871118721187311874118751187611877118781187911880118811188211883118841188511886118871188811889118901189111892118931189411895118961189711898118991190011901119021190311904119051190611907119081190911910119111191211913119141191511916119171191811919119201192111922119231192411925119261192711928119291193011931119321193311934119351193611937119381193911940119411194211943119441194511946119471194811949119501195111952119531195411955119561195711958119591196011961119621196311964119651196611967119681196911970119711197211973119741197511976119771197811979119801198111982119831198411985119861198711988119891199011991119921199311994119951199611997119981199912000120011200212003120041200512006120071200812009120101201112012120131201412015120161201712018120191202012021120221202312024120251202612027120281202912030120311203212033120341203512036120371203812039120401204112042120431204412045120461204712048120491205012051120521205312054120551205612057120581205912060120611206212063120641206512066120671206812069120701207112072120731207412075120761207712078120791208012081120821208312084120851208612087120881208912090120911209212093120941209512096120971209812099121001210112102121031210412105121061210712108121091211012111121121211312114121151211612117121181211912120121211212212123121241212512126121271212812129121301213112132121331213412135121361213712138121391214012141121421214312144121451214612147121481214912150121511215212153121541215512156121571215812159121601216112162121631216412165121661216712168121691217012171121721217312174121751217612177121781217912180121811218212183121841218512186121871218812189121901219112192121931219412195121961219712198121991220012201122021220312204122051220612207122081220912210122111221212213122141221512216122171221812219122201222112222122231222412225122261222712228122291223012231122321223312234122351223612237122381223912240122411224212243122441224512246122471224812249122501225112252122531225412255122561225712258122591226012261122621226312264122651226612267122681226912270122711227212273122741227512276122771227812279122801228112282122831228412285122861228712288122891229012291122921229312294122951229612297122981229912300123011230212303123041230512306123071230812309123101231112312123131231412315123161231712318123191232012321123221232312324123251232612327123281232912330123311233212333123341233512336123371233812339123401234112342123431234412345123461234712348123491235012351123521235312354123551235612357123581235912360123611236212363123641236512366123671236812369123701237112372123731237412375123761237712378123791238012381123821238312384123851238612387123881238912390123911239212393123941239512396123971239812399124001240112402124031240412405124061240712408124091241012411124121241312414124151241612417124181241912420124211242212423124241242512426124271242812429124301243112432124331243412435124361243712438124391244012441124421244312444124451244612447124481244912450124511245212453124541245512456124571245812459124601246112462124631246412465124661246712468124691247012471124721247312474124751247612477124781247912480124811248212483124841248512486124871248812489124901249112492124931249412495124961249712498124991250012501125021250312504125051250612507125081250912510125111251212513125141251512516125171251812519125201252112522125231252412525125261252712528125291253012531125321253312534125351253612537125381253912540125411254212543125441254512546125471254812549125501255112552125531255412555125561255712558125591256012561125621256312564125651256612567125681256912570125711257212573125741257512576125771257812579125801258112582125831258412585125861258712588125891259012591125921259312594125951259612597125981259912600126011260212603126041260512606126071260812609126101261112612126131261412615126161261712618126191262012621126221262312624126251262612627126281262912630126311263212633126341263512636126371263812639126401264112642126431264412645126461264712648126491265012651126521265312654126551265612657126581265912660126611266212663126641266512666126671266812669126701267112672126731267412675126761267712678126791268012681126821268312684126851268612687126881268912690126911269212693126941269512696126971269812699127001270112702127031270412705127061270712708127091271012711127121271312714127151271612717127181271912720127211272212723127241272512726127271272812729127301273112732127331273412735127361273712738127391274012741127421274312744127451274612747127481274912750127511275212753127541275512756127571275812759127601276112762127631276412765127661276712768127691277012771127721277312774127751277612777127781277912780127811278212783127841278512786127871278812789127901279112792127931279412795127961279712798127991280012801128021280312804128051280612807128081280912810128111281212813128141281512816128171281812819128201282112822128231282412825128261282712828128291283012831128321283312834128351283612837128381283912840128411284212843128441284512846128471284812849128501285112852128531285412855128561285712858128591286012861128621286312864128651286612867128681286912870128711287212873128741287512876128771287812879128801288112882128831288412885128861288712888128891289012891128921289312894128951289612897128981289912900129011290212903129041290512906129071290812909129101291112912129131291412915129161291712918129191292012921129221292312924129251292612927129281292912930129311293212933129341293512936129371293812939129401294112942129431294412945129461294712948129491295012951129521295312954129551295612957129581295912960129611296212963129641296512966129671296812969129701297112972129731297412975129761297712978129791298012981129821298312984129851298612987129881298912990129911299212993129941299512996129971299812999130001300113002130031300413005130061300713008130091301013011130121301313014130151301613017130181301913020130211302213023130241302513026130271302813029130301303113032130331303413035130361303713038130391304013041130421304313044130451304613047130481304913050130511305213053130541305513056130571305813059130601306113062130631306413065130661306713068130691307013071130721307313074130751307613077130781307913080130811308213083130841308513086130871308813089130901309113092130931309413095130961309713098130991310013101131021310313104131051310613107131081310913110131111311213113131141311513116131171311813119131201312113122131231312413125131261312713128131291313013131131321313313134131351313613137131381313913140131411314213143131441314513146131471314813149131501315113152131531315413155131561315713158131591316013161131621316313164131651316613167131681316913170131711317213173131741317513176131771317813179131801318113182131831318413185131861318713188131891319013191131921319313194131951319613197131981319913200132011320213203132041320513206132071320813209132101321113212132131321413215132161321713218132191322013221132221322313224132251322613227132281322913230132311323213233132341323513236132371323813239132401324113242132431324413245132461324713248132491325013251132521325313254132551325613257132581325913260132611326213263132641326513266132671326813269132701327113272132731327413275132761327713278132791328013281132821328313284132851328613287132881328913290132911329213293132941329513296132971329813299133001330113302133031330413305133061330713308133091331013311133121331313314133151331613317133181331913320133211332213323133241332513326133271332813329133301333113332133331333413335133361333713338133391334013341133421334313344133451334613347133481334913350133511335213353133541335513356133571335813359133601336113362133631336413365133661336713368133691337013371133721337313374133751337613377133781337913380133811338213383133841338513386133871338813389133901339113392133931339413395133961339713398133991340013401134021340313404134051340613407134081340913410134111341213413134141341513416134171341813419134201342113422134231342413425134261342713428134291343013431134321343313434134351343613437134381343913440134411344213443134441344513446134471344813449134501345113452134531345413455134561345713458134591346013461134621346313464134651346613467134681346913470134711347213473134741347513476134771347813479134801348113482134831348413485134861348713488134891349013491134921349313494134951349613497134981349913500135011350213503135041350513506135071350813509135101351113512135131351413515135161351713518135191352013521135221352313524135251352613527135281352913530135311353213533135341353513536135371353813539135401354113542135431354413545135461354713548135491355013551135521355313554135551355613557135581355913560135611356213563135641356513566135671356813569135701357113572135731357413575135761357713578135791358013581135821358313584135851358613587135881358913590135911359213593135941359513596135971359813599136001360113602136031360413605136061360713608136091361013611136121361313614136151361613617136181361913620136211362213623136241362513626136271362813629136301363113632136331363413635136361363713638136391364013641136421364313644136451364613647136481364913650136511365213653136541365513656136571365813659136601366113662136631366413665136661366713668136691367013671136721367313674136751367613677136781367913680136811368213683136841368513686136871368813689136901369113692136931369413695136961369713698136991370013701137021370313704137051370613707137081370913710137111371213713137141371513716137171371813719137201372113722137231372413725137261372713728137291373013731137321373313734137351373613737137381373913740137411374213743137441374513746137471374813749137501375113752137531375413755137561375713758137591376013761137621376313764137651376613767137681376913770137711377213773137741377513776137771377813779137801378113782137831378413785137861378713788137891379013791137921379313794137951379613797137981379913800138011380213803138041380513806138071380813809138101381113812138131381413815138161381713818138191382013821138221382313824138251382613827138281382913830138311383213833138341383513836138371383813839138401384113842138431384413845138461384713848138491385013851138521385313854138551385613857138581385913860138611386213863138641386513866138671386813869138701387113872138731387413875138761387713878138791388013881138821388313884138851388613887138881388913890138911389213893138941389513896138971389813899139001390113902139031390413905139061390713908139091391013911139121391313914139151391613917139181391913920139211392213923139241392513926139271392813929139301393113932139331393413935139361393713938139391394013941139421394313944139451394613947139481394913950139511395213953139541395513956139571395813959139601396113962139631396413965139661396713968139691397013971139721397313974139751397613977139781397913980139811398213983139841398513986139871398813989139901399113992139931399413995139961399713998139991400014001140021400314004140051400614007140081400914010140111401214013140141401514016140171401814019140201402114022140231402414025140261402714028140291403014031140321403314034140351403614037140381403914040140411404214043140441404514046140471404814049140501405114052140531405414055140561405714058140591406014061140621406314064140651406614067140681406914070140711407214073140741407514076140771407814079140801408114082140831408414085140861408714088140891409014091140921409314094140951409614097140981409914100141011410214103141041410514106141071410814109141101411114112141131411414115141161411714118141191412014121141221412314124141251412614127141281412914130141311413214133141341413514136141371413814139141401414114142141431414414145141461414714148141491415014151141521415314154141551415614157141581415914160141611416214163141641416514166141671416814169141701417114172141731417414175141761417714178141791418014181141821418314184141851418614187141881418914190141911419214193141941419514196141971419814199142001420114202142031420414205142061420714208142091421014211142121421314214142151421614217142181421914220142211422214223142241422514226142271422814229142301423114232142331423414235142361423714238142391424014241142421424314244142451424614247142481424914250142511425214253142541425514256142571425814259142601426114262142631426414265142661426714268142691427014271142721427314274142751427614277142781427914280142811428214283142841428514286142871428814289142901429114292142931429414295142961429714298142991430014301143021430314304143051430614307143081430914310143111431214313143141431514316143171431814319143201432114322143231432414325143261432714328143291433014331143321433314334143351433614337143381433914340143411434214343143441434514346143471434814349143501435114352143531435414355143561435714358143591436014361143621436314364143651436614367143681436914370143711437214373143741437514376143771437814379143801438114382143831438414385143861438714388143891439014391143921439314394143951439614397143981439914400144011440214403144041440514406144071440814409144101441114412144131441414415144161441714418144191442014421144221442314424144251442614427144281442914430144311443214433144341443514436144371443814439144401444114442144431444414445144461444714448144491445014451144521445314454144551445614457144581445914460144611446214463144641446514466144671446814469144701447114472144731447414475144761447714478144791448014481144821448314484144851448614487144881448914490144911449214493144941449514496144971449814499145001450114502145031450414505145061450714508145091451014511145121451314514145151451614517145181451914520145211452214523145241452514526145271452814529145301453114532145331453414535145361453714538145391454014541145421454314544145451454614547145481454914550145511455214553145541455514556145571455814559145601456114562145631456414565145661456714568145691457014571145721457314574145751457614577145781457914580145811458214583145841458514586145871458814589145901459114592145931459414595145961459714598145991460014601146021460314604146051460614607146081460914610146111461214613146141461514616146171461814619146201462114622146231462414625146261462714628146291463014631146321463314634146351463614637146381463914640146411464214643146441464514646146471464814649146501465114652146531465414655146561465714658146591466014661146621466314664146651466614667146681466914670146711467214673146741467514676146771467814679146801468114682146831468414685146861468714688146891469014691146921469314694146951469614697146981469914700147011470214703147041470514706147071470814709147101471114712147131471414715147161471714718147191472014721147221472314724147251472614727147281472914730147311473214733147341473514736147371473814739147401474114742147431474414745147461474714748147491475014751147521475314754147551475614757147581475914760147611476214763147641476514766147671476814769147701477114772147731477414775147761477714778147791478014781147821478314784147851478614787147881478914790147911479214793147941479514796147971479814799148001480114802148031480414805148061480714808148091481014811148121481314814148151481614817148181481914820148211482214823148241482514826148271482814829148301483114832148331483414835148361483714838148391484014841148421484314844148451484614847148481484914850148511485214853148541485514856148571485814859148601486114862148631486414865148661486714868148691487014871148721487314874148751487614877148781487914880148811488214883148841488514886148871488814889148901489114892148931489414895148961489714898148991490014901149021490314904149051490614907149081490914910149111491214913149141491514916149171491814919149201492114922149231492414925149261492714928149291493014931149321493314934149351493614937149381493914940149411494214943149441494514946149471494814949149501495114952149531495414955149561495714958149591496014961149621496314964149651496614967149681496914970149711497214973149741497514976149771497814979149801498114982149831498414985149861498714988149891499014991149921499314994149951499614997149981499915000150011500215003150041500515006150071500815009150101501115012150131501415015150161501715018150191502015021150221502315024150251502615027150281502915030150311503215033150341503515036150371503815039150401504115042150431504415045150461504715048150491505015051150521505315054150551505615057150581505915060150611506215063150641506515066150671506815069150701507115072150731507415075150761507715078150791508015081150821508315084150851508615087150881508915090150911509215093150941509515096150971509815099151001510115102151031510415105151061510715108151091511015111151121511315114151151511615117151181511915120151211512215123151241512515126151271512815129151301513115132151331513415135151361513715138151391514015141151421514315144151451514615147151481514915150151511515215153151541515515156151571515815159151601516115162151631516415165151661516715168151691517015171151721517315174151751517615177151781517915180151811518215183151841518515186151871518815189151901519115192151931519415195151961519715198151991520015201152021520315204152051520615207152081520915210152111521215213152141521515216152171521815219152201522115222152231522415225152261522715228152291523015231152321523315234152351523615237152381523915240152411524215243152441524515246152471524815249152501525115252152531525415255152561525715258152591526015261152621526315264152651526615267152681526915270152711527215273152741527515276152771527815279152801528115282152831528415285152861528715288152891529015291152921529315294152951529615297152981529915300153011530215303153041530515306153071530815309153101531115312153131531415315153161531715318153191532015321153221532315324153251532615327153281532915330153311533215333153341533515336153371533815339153401534115342153431534415345153461534715348153491535015351153521535315354153551535615357153581535915360153611536215363153641536515366153671536815369153701537115372153731537415375153761537715378153791538015381153821538315384153851538615387153881538915390153911539215393153941539515396153971539815399154001540115402154031540415405154061540715408154091541015411154121541315414154151541615417154181541915420154211542215423154241542515426154271542815429154301543115432154331543415435154361543715438154391544015441154421544315444154451544615447154481544915450154511545215453154541545515456154571545815459154601546115462154631546415465154661546715468154691547015471154721547315474154751547615477154781547915480154811548215483154841548515486154871548815489154901549115492154931549415495154961549715498154991550015501155021550315504155051550615507155081550915510155111551215513155141551515516155171551815519155201552115522155231552415525155261552715528155291553015531155321553315534155351553615537155381553915540155411554215543155441554515546155471554815549155501555115552155531555415555155561555715558155591556015561155621556315564155651556615567155681556915570155711557215573155741557515576155771557815579155801558115582155831558415585155861558715588155891559015591155921559315594155951559615597155981559915600156011560215603156041560515606156071560815609156101561115612156131561415615156161561715618156191562015621156221562315624156251562615627156281562915630156311563215633156341563515636156371563815639156401564115642156431564415645156461564715648156491565015651156521565315654156551565615657156581565915660156611566215663156641566515666156671566815669156701567115672156731567415675156761567715678156791568015681156821568315684156851568615687156881568915690156911569215693156941569515696156971569815699157001570115702157031570415705157061570715708157091571015711157121571315714157151571615717157181571915720157211572215723157241572515726157271572815729157301573115732157331573415735157361573715738157391574015741157421574315744157451574615747157481574915750157511575215753157541575515756157571575815759157601576115762157631576415765157661576715768157691577015771157721577315774157751577615777157781577915780157811578215783157841578515786157871578815789157901579115792157931579415795157961579715798157991580015801158021580315804158051580615807158081580915810158111581215813158141581515816158171581815819158201582115822158231582415825158261582715828158291583015831158321583315834158351583615837158381583915840158411584215843158441584515846158471584815849158501585115852158531585415855158561585715858158591586015861158621586315864158651586615867158681586915870158711587215873158741587515876158771587815879158801588115882158831588415885158861588715888158891589015891158921589315894158951589615897158981589915900159011590215903159041590515906159071590815909159101591115912159131591415915159161591715918159191592015921159221592315924159251592615927159281592915930159311593215933159341593515936159371593815939159401594115942159431594415945159461594715948159491595015951159521595315954159551595615957159581595915960159611596215963159641596515966159671596815969159701597115972159731597415975159761597715978159791598015981159821598315984159851598615987159881598915990159911599215993159941599515996159971599815999160001600116002160031600416005160061600716008160091601016011160121601316014160151601616017160181601916020160211602216023160241602516026160271602816029160301603116032160331603416035160361603716038160391604016041160421604316044160451604616047160481604916050160511605216053160541605516056160571605816059160601606116062160631606416065160661606716068160691607016071160721607316074160751607616077160781607916080160811608216083160841608516086160871608816089160901609116092160931609416095160961609716098160991610016101161021610316104161051610616107161081610916110161111611216113161141611516116161171611816119161201612116122161231612416125161261612716128161291613016131161321613316134161351613616137161381613916140161411614216143161441614516146161471614816149161501615116152161531615416155161561615716158161591616016161161621616316164161651616616167161681616916170161711617216173161741617516176161771617816179161801618116182161831618416185161861618716188161891619016191161921619316194161951619616197161981619916200162011620216203162041620516206162071620816209162101621116212162131621416215162161621716218162191622016221162221622316224162251622616227162281622916230162311623216233162341623516236162371623816239162401624116242162431624416245162461624716248162491625016251162521625316254162551625616257162581625916260162611626216263162641626516266162671626816269162701627116272162731627416275162761627716278162791628016281162821628316284162851628616287162881628916290162911629216293162941629516296162971629816299163001630116302163031630416305163061630716308163091631016311163121631316314163151631616317163181631916320163211632216323163241632516326163271632816329163301633116332163331633416335163361633716338163391634016341163421634316344163451634616347163481634916350163511635216353163541635516356163571635816359163601636116362163631636416365163661636716368163691637016371163721637316374163751637616377163781637916380163811638216383163841638516386163871638816389163901639116392163931639416395163961639716398163991640016401164021640316404164051640616407164081640916410164111641216413164141641516416164171641816419164201642116422164231642416425164261642716428164291643016431164321643316434164351643616437164381643916440164411644216443164441644516446164471644816449164501645116452164531645416455164561645716458164591646016461164621646316464164651646616467164681646916470164711647216473164741647516476164771647816479164801648116482164831648416485164861648716488164891649016491164921649316494164951649616497164981649916500165011650216503165041650516506165071650816509165101651116512165131651416515165161651716518165191652016521165221652316524165251652616527165281652916530165311653216533165341653516536165371653816539165401654116542165431654416545165461654716548165491655016551165521655316554165551655616557165581655916560165611656216563165641656516566165671656816569165701657116572165731657416575165761657716578165791658016581165821658316584165851658616587165881658916590165911659216593165941659516596165971659816599166001660116602166031660416605166061660716608166091661016611166121661316614166151661616617166181661916620166211662216623166241662516626166271662816629166301663116632166331663416635166361663716638166391664016641166421664316644166451664616647166481664916650166511665216653166541665516656166571665816659166601666116662166631666416665166661666716668166691667016671166721667316674166751667616677166781667916680166811668216683166841668516686166871668816689166901669116692166931669416695166961669716698166991670016701167021670316704167051670616707167081670916710167111671216713167141671516716167171671816719167201672116722167231672416725167261672716728167291673016731167321673316734167351673616737167381673916740167411674216743167441674516746167471674816749167501675116752167531675416755167561675716758167591676016761167621676316764167651676616767167681676916770167711677216773167741677516776167771677816779167801678116782167831678416785167861678716788167891679016791167921679316794167951679616797167981679916800168011680216803168041680516806168071680816809168101681116812168131681416815168161681716818168191682016821168221682316824168251682616827168281682916830168311683216833168341683516836168371683816839168401684116842168431684416845168461684716848168491685016851168521685316854168551685616857168581685916860168611686216863168641686516866168671686816869168701687116872168731687416875168761687716878168791688016881168821688316884168851688616887168881688916890168911689216893168941689516896168971689816899169001690116902169031690416905169061690716908169091691016911169121691316914169151691616917169181691916920169211692216923169241692516926169271692816929169301693116932169331693416935169361693716938169391694016941169421694316944169451694616947169481694916950169511695216953169541695516956169571695816959169601696116962169631696416965169661696716968169691697016971169721697316974169751697616977169781697916980169811698216983169841698516986169871698816989169901699116992169931699416995169961699716998169991700017001170021700317004170051700617007170081700917010170111701217013170141701517016170171701817019170201702117022170231702417025170261702717028170291703017031170321703317034170351703617037170381703917040170411704217043170441704517046170471704817049170501705117052170531705417055170561705717058170591706017061170621706317064170651706617067170681706917070170711707217073170741707517076170771707817079170801708117082170831708417085170861708717088170891709017091170921709317094170951709617097170981709917100171011710217103171041710517106171071710817109171101711117112171131711417115171161711717118171191712017121171221712317124171251712617127171281712917130171311713217133171341713517136171371713817139171401714117142171431714417145171461714717148171491715017151171521715317154171551715617157171581715917160171611716217163171641716517166171671716817169171701717117172171731717417175171761717717178171791718017181171821718317184171851718617187171881718917190171911719217193171941719517196171971719817199172001720117202172031720417205172061720717208172091721017211172121721317214172151721617217172181721917220172211722217223172241722517226172271722817229172301723117232172331723417235172361723717238172391724017241172421724317244172451724617247172481724917250172511725217253172541725517256172571725817259172601726117262172631726417265172661726717268172691727017271172721727317274172751727617277172781727917280172811728217283172841728517286172871728817289172901729117292172931729417295172961729717298172991730017301173021730317304173051730617307173081730917310173111731217313173141731517316173171731817319173201732117322173231732417325173261732717328173291733017331173321733317334173351733617337173381733917340173411734217343173441734517346173471734817349173501735117352173531735417355173561735717358173591736017361173621736317364173651736617367173681736917370173711737217373173741737517376173771737817379173801738117382173831738417385173861738717388173891739017391173921739317394173951739617397173981739917400174011740217403174041740517406174071740817409174101741117412174131741417415174161741717418174191742017421174221742317424174251742617427174281742917430174311743217433174341743517436174371743817439174401744117442174431744417445174461744717448174491745017451174521745317454174551745617457174581745917460174611746217463174641746517466174671746817469174701747117472174731747417475174761747717478174791748017481174821748317484174851748617487174881748917490174911749217493174941749517496174971749817499175001750117502175031750417505175061750717508175091751017511175121751317514175151751617517175181751917520175211752217523175241752517526175271752817529175301753117532175331753417535175361753717538175391754017541175421754317544175451754617547175481754917550175511755217553175541755517556175571755817559175601756117562175631756417565175661756717568175691757017571175721757317574175751757617577175781757917580175811758217583175841758517586175871758817589175901759117592175931759417595175961759717598175991760017601176021760317604176051760617607176081760917610176111761217613176141761517616176171761817619176201762117622176231762417625176261762717628176291763017631176321763317634176351763617637176381763917640176411764217643176441764517646176471764817649176501765117652176531765417655176561765717658176591766017661176621766317664176651766617667176681766917670176711767217673176741767517676176771767817679176801768117682176831768417685176861768717688176891769017691176921769317694176951769617697176981769917700177011770217703177041770517706177071770817709177101771117712177131771417715177161771717718177191772017721177221772317724177251772617727177281772917730177311773217733177341773517736177371773817739177401774117742177431774417745177461774717748177491775017751177521775317754177551775617757177581775917760177611776217763177641776517766177671776817769177701777117772177731777417775177761777717778177791778017781177821778317784177851778617787177881778917790177911779217793177941779517796177971779817799178001780117802178031780417805178061780717808178091781017811178121781317814178151781617817178181781917820178211782217823178241782517826178271782817829178301783117832178331783417835178361783717838178391784017841178421784317844178451784617847178481784917850178511785217853178541785517856178571785817859178601786117862178631786417865178661786717868178691787017871178721787317874178751787617877178781787917880178811788217883178841788517886178871788817889178901789117892178931789417895178961789717898178991790017901179021790317904179051790617907179081790917910179111791217913179141791517916179171791817919179201792117922179231792417925179261792717928179291793017931179321793317934179351793617937179381793917940179411794217943179441794517946179471794817949179501795117952179531795417955179561795717958179591796017961179621796317964179651796617967179681796917970179711797217973179741797517976179771797817979179801798117982179831798417985179861798717988179891799017991179921799317994179951799617997179981799918000180011800218003180041800518006180071800818009180101801118012180131801418015180161801718018180191802018021180221802318024180251802618027180281802918030180311803218033180341803518036180371803818039180401804118042180431804418045180461804718048180491805018051180521805318054180551805618057180581805918060180611806218063180641806518066180671806818069180701807118072180731807418075180761807718078180791808018081180821808318084180851808618087180881808918090180911809218093180941809518096180971809818099181001810118102181031810418105181061810718108181091811018111181121811318114181151811618117181181811918120181211812218123181241812518126181271812818129181301813118132181331813418135181361813718138181391814018141181421814318144181451814618147181481814918150181511815218153181541815518156181571815818159181601816118162181631816418165181661816718168181691817018171181721817318174181751817618177181781817918180181811818218183181841818518186181871818818189181901819118192181931819418195181961819718198181991820018201182021820318204182051820618207182081820918210182111821218213182141821518216182171821818219182201822118222182231822418225182261822718228182291823018231182321823318234182351823618237182381823918240182411824218243182441824518246182471824818249182501825118252182531825418255182561825718258182591826018261182621826318264182651826618267182681826918270182711827218273182741827518276182771827818279182801828118282182831828418285182861828718288182891829018291182921829318294182951829618297182981829918300183011830218303183041830518306183071830818309183101831118312183131831418315183161831718318183191832018321183221832318324183251832618327183281832918330183311833218333183341833518336183371833818339183401834118342183431834418345183461834718348183491835018351183521835318354183551835618357183581835918360183611836218363183641836518366183671836818369183701837118372183731837418375183761837718378183791838018381183821838318384183851838618387183881838918390183911839218393183941839518396183971839818399184001840118402184031840418405184061840718408184091841018411184121841318414184151841618417184181841918420184211842218423184241842518426184271842818429184301843118432184331843418435184361843718438184391844018441184421844318444184451844618447184481844918450184511845218453184541845518456184571845818459184601846118462184631846418465184661846718468184691847018471184721847318474184751847618477184781847918480184811848218483184841848518486184871848818489184901849118492184931849418495184961849718498184991850018501185021850318504185051850618507185081850918510185111851218513185141851518516185171851818519185201852118522185231852418525185261852718528185291853018531185321853318534185351853618537185381853918540185411854218543185441854518546185471854818549185501855118552185531855418555185561855718558185591856018561185621856318564185651856618567185681856918570185711857218573185741857518576185771857818579185801858118582185831858418585185861858718588185891859018591185921859318594185951859618597185981859918600186011860218603186041860518606186071860818609186101861118612186131861418615186161861718618186191862018621186221862318624186251862618627186281862918630186311863218633186341863518636186371863818639186401864118642186431864418645186461864718648186491865018651186521865318654186551865618657186581865918660186611866218663186641866518666186671866818669186701867118672186731867418675186761867718678186791868018681186821868318684186851868618687186881868918690186911869218693186941869518696186971869818699187001870118702187031870418705187061870718708187091871018711187121871318714187151871618717187181871918720187211872218723187241872518726187271872818729187301873118732187331873418735187361873718738187391874018741187421874318744187451874618747187481874918750187511875218753187541875518756187571875818759187601876118762187631876418765187661876718768187691877018771187721877318774187751877618777187781877918780187811878218783187841878518786187871878818789187901879118792187931879418795187961879718798187991880018801188021880318804188051880618807188081880918810188111881218813188141881518816188171881818819188201882118822188231882418825188261882718828188291883018831188321883318834188351883618837188381883918840188411884218843188441884518846188471884818849188501885118852188531885418855188561885718858188591886018861188621886318864188651886618867188681886918870188711887218873188741887518876188771887818879188801888118882188831888418885188861888718888188891889018891188921889318894188951889618897188981889918900189011890218903189041890518906189071890818909189101891118912189131891418915189161891718918189191892018921189221892318924189251892618927189281892918930189311893218933189341893518936189371893818939189401894118942189431894418945189461894718948189491895018951189521895318954189551895618957189581895918960189611896218963189641896518966189671896818969189701897118972189731897418975189761897718978189791898018981189821898318984189851898618987189881898918990189911899218993189941899518996189971899818999190001900119002190031900419005190061900719008190091901019011190121901319014190151901619017190181901919020190211902219023190241902519026190271902819029190301903119032190331903419035190361903719038190391904019041190421904319044190451904619047190481904919050190511905219053190541905519056190571905819059190601906119062190631906419065190661906719068190691907019071190721907319074190751907619077190781907919080190811908219083190841908519086190871908819089190901909119092190931909419095190961909719098190991910019101191021910319104191051910619107191081910919110191111911219113191141911519116191171911819119191201912119122191231912419125191261912719128191291913019131191321913319134191351913619137191381913919140191411914219143191441914519146191471914819149191501915119152191531915419155191561915719158191591916019161191621916319164191651916619167191681916919170191711917219173191741917519176191771917819179191801918119182191831918419185191861918719188191891919019191191921919319194191951919619197191981919919200192011920219203192041920519206192071920819209192101921119212192131921419215192161921719218192191922019221192221922319224192251922619227192281922919230192311923219233192341923519236192371923819239192401924119242192431924419245192461924719248192491925019251192521925319254192551925619257192581925919260192611926219263192641926519266192671926819269192701927119272192731927419275192761927719278192791928019281192821928319284192851928619287192881928919290192911929219293192941929519296192971929819299193001930119302193031930419305193061930719308193091931019311193121931319314193151931619317193181931919320193211932219323193241932519326193271932819329193301933119332193331933419335193361933719338193391934019341193421934319344193451934619347193481934919350193511935219353193541935519356193571935819359193601936119362193631936419365193661936719368193691937019371193721937319374193751937619377193781937919380193811938219383193841938519386193871938819389193901939119392193931939419395193961939719398193991940019401194021940319404194051940619407194081940919410194111941219413194141941519416194171941819419194201942119422194231942419425194261942719428194291943019431194321943319434194351943619437194381943919440194411944219443194441944519446194471944819449194501945119452194531945419455194561945719458194591946019461194621946319464194651946619467194681946919470194711947219473194741947519476194771947819479194801948119482194831948419485194861948719488194891949019491194921949319494194951949619497194981949919500195011950219503195041950519506195071950819509195101951119512195131951419515195161951719518195191952019521195221952319524195251952619527195281952919530195311953219533195341953519536195371953819539195401954119542195431954419545195461954719548195491955019551195521955319554195551955619557195581955919560195611956219563195641956519566195671956819569195701957119572195731957419575195761957719578195791958019581195821958319584195851958619587195881958919590195911959219593195941959519596195971959819599196001960119602196031960419605196061960719608196091961019611196121961319614196151961619617196181961919620196211962219623196241962519626196271962819629196301963119632196331963419635196361963719638196391964019641196421964319644196451964619647196481964919650196511965219653196541965519656196571965819659196601966119662196631966419665196661966719668196691967019671196721967319674196751967619677196781967919680196811968219683196841968519686196871968819689196901969119692196931969419695196961969719698196991970019701197021970319704197051970619707197081970919710197111971219713197141971519716197171971819719197201972119722197231972419725197261972719728197291973019731197321973319734197351973619737197381973919740197411974219743197441974519746197471974819749197501975119752197531975419755197561975719758197591976019761197621976319764197651976619767197681976919770197711977219773197741977519776197771977819779197801978119782197831978419785197861978719788197891979019791197921979319794197951979619797197981979919800198011980219803198041980519806198071980819809198101981119812198131981419815198161981719818198191982019821198221982319824198251982619827198281982919830198311983219833198341983519836198371983819839198401984119842198431984419845198461984719848198491985019851198521985319854198551985619857198581985919860198611986219863198641986519866198671986819869198701987119872198731987419875198761987719878198791988019881198821988319884198851988619887198881988919890198911989219893198941989519896198971989819899199001990119902199031990419905199061990719908199091991019911199121991319914199151991619917199181991919920199211992219923199241992519926199271992819929199301993119932199331993419935199361993719938199391994019941199421994319944199451994619947199481994919950199511995219953199541995519956199571995819959199601996119962199631996419965199661996719968199691997019971199721997319974199751997619977199781997919980199811998219983199841998519986199871998819989199901999119992199931999419995199961999719998199992000020001200022000320004200052000620007200082000920010200112001220013200142001520016200172001820019200202002120022200232002420025200262002720028200292003020031200322003320034200352003620037200382003920040200412004220043200442004520046200472004820049200502005120052200532005420055200562005720058200592006020061200622006320064200652006620067200682006920070200712007220073200742007520076200772007820079200802008120082200832008420085200862008720088200892009020091200922009320094200952009620097200982009920100201012010220103201042010520106201072010820109201102011120112201132011420115201162011720118201192012020121201222012320124201252012620127201282012920130201312013220133201342013520136201372013820139201402014120142201432014420145201462014720148201492015020151201522015320154201552015620157201582015920160201612016220163201642016520166201672016820169201702017120172201732017420175201762017720178201792018020181201822018320184201852018620187201882018920190201912019220193201942019520196201972019820199202002020120202202032020420205202062020720208202092021020211202122021320214202152021620217202182021920220202212022220223202242022520226202272022820229202302023120232202332023420235202362023720238202392024020241202422024320244202452024620247202482024920250202512025220253202542025520256202572025820259202602026120262202632026420265202662026720268202692027020271202722027320274202752027620277202782027920280202812028220283202842028520286202872028820289202902029120292202932029420295202962029720298202992030020301203022030320304203052030620307203082030920310203112031220313203142031520316203172031820319203202032120322203232032420325203262032720328203292033020331203322033320334203352033620337203382033920340203412034220343203442034520346203472034820349203502035120352203532035420355203562035720358203592036020361203622036320364203652036620367203682036920370203712037220373203742037520376203772037820379203802038120382203832038420385203862038720388203892039020391203922039320394203952039620397203982039920400204012040220403204042040520406204072040820409204102041120412204132041420415204162041720418204192042020421204222042320424204252042620427204282042920430204312043220433204342043520436204372043820439204402044120442204432044420445204462044720448204492045020451204522045320454204552045620457204582045920460204612046220463204642046520466204672046820469204702047120472204732047420475204762047720478204792048020481204822048320484204852048620487204882048920490204912049220493204942049520496204972049820499205002050120502205032050420505205062050720508205092051020511205122051320514205152051620517205182051920520205212052220523205242052520526205272052820529205302053120532205332053420535205362053720538205392054020541205422054320544205452054620547205482054920550205512055220553205542055520556205572055820559205602056120562205632056420565205662056720568205692057020571205722057320574205752057620577205782057920580205812058220583205842058520586205872058820589205902059120592205932059420595205962059720598205992060020601206022060320604206052060620607206082060920610206112061220613206142061520616206172061820619206202062120622206232062420625206262062720628206292063020631206322063320634206352063620637206382063920640206412064220643206442064520646206472064820649206502065120652206532065420655206562065720658206592066020661206622066320664206652066620667206682066920670206712067220673206742067520676206772067820679206802068120682206832068420685206862068720688206892069020691206922069320694206952069620697206982069920700207012070220703207042070520706207072070820709207102071120712207132071420715207162071720718207192072020721207222072320724207252072620727207282072920730207312073220733207342073520736207372073820739207402074120742207432074420745207462074720748207492075020751207522075320754207552075620757207582075920760207612076220763207642076520766207672076820769207702077120772207732077420775207762077720778207792078020781207822078320784207852078620787207882078920790207912079220793207942079520796207972079820799208002080120802208032080420805208062080720808208092081020811208122081320814208152081620817208182081920820208212082220823208242082520826208272082820829208302083120832208332083420835208362083720838208392084020841208422084320844208452084620847208482084920850208512085220853208542085520856208572085820859208602086120862208632086420865208662086720868208692087020871208722087320874208752087620877208782087920880208812088220883208842088520886208872088820889208902089120892208932089420895208962089720898208992090020901209022090320904209052090620907209082090920910209112091220913209142091520916209172091820919209202092120922209232092420925209262092720928209292093020931209322093320934209352093620937209382093920940209412094220943209442094520946209472094820949209502095120952209532095420955209562095720958209592096020961209622096320964209652096620967209682096920970209712097220973209742097520976209772097820979209802098120982209832098420985209862098720988209892099020991209922099320994209952099620997209982099921000210012100221003210042100521006210072100821009210102101121012210132101421015210162101721018210192102021021210222102321024210252102621027210282102921030210312103221033210342103521036210372103821039210402104121042210432104421045210462104721048210492105021051210522105321054210552105621057210582105921060210612106221063210642106521066210672106821069210702107121072210732107421075210762107721078210792108021081210822108321084210852108621087210882108921090210912109221093210942109521096210972109821099211002110121102211032110421105211062110721108211092111021111211122111321114211152111621117211182111921120211212112221123211242112521126211272112821129211302113121132211332113421135211362113721138211392114021141211422114321144211452114621147211482114921150211512115221153211542115521156211572115821159211602116121162211632116421165211662116721168211692117021171211722117321174211752117621177211782117921180211812118221183211842118521186211872118821189211902119121192211932119421195211962119721198211992120021201212022120321204212052120621207212082120921210212112121221213212142121521216212172121821219212202122121222212232122421225212262122721228212292123021231212322123321234212352123621237212382123921240212412124221243212442124521246212472124821249212502125121252212532125421255212562125721258212592126021261212622126321264212652126621267212682126921270212712127221273212742127521276212772127821279212802128121282212832128421285212862128721288212892129021291212922129321294212952129621297212982129921300213012130221303213042130521306213072130821309213102131121312213132131421315213162131721318213192132021321213222132321324213252132621327213282132921330213312133221333213342133521336213372133821339213402134121342213432134421345213462134721348213492135021351213522135321354213552135621357213582135921360213612136221363213642136521366213672136821369213702137121372213732137421375213762137721378213792138021381213822138321384213852138621387213882138921390213912139221393213942139521396213972139821399214002140121402214032140421405214062140721408214092141021411214122141321414214152141621417214182141921420214212142221423214242142521426214272142821429214302143121432214332143421435214362143721438214392144021441214422144321444214452144621447214482144921450214512145221453214542145521456214572145821459214602146121462214632146421465214662146721468214692147021471214722147321474214752147621477214782147921480214812148221483214842148521486214872148821489214902149121492214932149421495214962149721498214992150021501215022150321504215052150621507215082150921510215112151221513215142151521516215172151821519215202152121522215232152421525215262152721528215292153021531215322153321534215352153621537215382153921540215412154221543215442154521546215472154821549215502155121552215532155421555215562155721558215592156021561215622156321564215652156621567215682156921570215712157221573215742157521576215772157821579215802158121582215832158421585215862158721588215892159021591215922159321594215952159621597215982159921600216012160221603216042160521606216072160821609216102161121612216132161421615216162161721618216192162021621216222162321624216252162621627216282162921630216312163221633216342163521636216372163821639216402164121642216432164421645216462164721648216492165021651216522165321654216552165621657216582165921660216612166221663216642166521666216672166821669216702167121672216732167421675216762167721678216792168021681216822168321684216852168621687216882168921690216912169221693216942169521696216972169821699217002170121702217032170421705217062170721708217092171021711217122171321714217152171621717217182171921720217212172221723217242172521726217272172821729217302173121732217332173421735217362173721738217392174021741217422174321744217452174621747217482174921750217512175221753217542175521756217572175821759217602176121762217632176421765217662176721768217692177021771217722177321774217752177621777217782177921780217812178221783217842178521786217872178821789217902179121792217932179421795217962179721798217992180021801218022180321804218052180621807218082180921810218112181221813218142181521816218172181821819218202182121822218232182421825218262182721828218292183021831218322183321834218352183621837218382183921840218412184221843218442184521846218472184821849218502185121852218532185421855218562185721858218592186021861218622186321864218652186621867218682186921870218712187221873218742187521876218772187821879218802188121882218832188421885218862188721888218892189021891218922189321894218952189621897218982189921900219012190221903219042190521906219072190821909219102191121912219132191421915219162191721918219192192021921219222192321924219252192621927219282192921930219312193221933219342193521936219372193821939219402194121942219432194421945219462194721948219492195021951219522195321954219552195621957219582195921960219612196221963219642196521966219672196821969219702197121972219732197421975219762197721978219792198021981219822198321984219852198621987219882198921990219912199221993219942199521996219972199821999220002200122002220032200422005220062200722008220092201022011220122201322014220152201622017220182201922020220212202222023220242202522026220272202822029220302203122032220332203422035220362203722038220392204022041220422204322044220452204622047220482204922050220512205222053220542205522056220572205822059220602206122062220632206422065220662206722068220692207022071220722207322074220752207622077220782207922080220812208222083220842208522086220872208822089220902209122092220932209422095220962209722098220992210022101221022210322104221052210622107221082210922110221112211222113221142211522116221172211822119221202212122122221232212422125221262212722128221292213022131221322213322134221352213622137221382213922140221412214222143221442214522146221472214822149221502215122152221532215422155221562215722158221592216022161221622216322164221652216622167221682216922170221712217222173221742217522176221772217822179221802218122182221832218422185221862218722188221892219022191221922219322194221952219622197221982219922200222012220222203222042220522206222072220822209222102221122212222132221422215222162221722218222192222022221222222222322224222252222622227222282222922230222312223222233222342223522236222372223822239222402224122242222432224422245222462224722248222492225022251222522225322254222552225622257222582225922260222612226222263222642226522266222672226822269222702227122272222732227422275222762227722278222792228022281222822228322284222852228622287222882228922290222912229222293222942229522296222972229822299223002230122302223032230422305223062230722308223092231022311223122231322314223152231622317223182231922320223212232222323223242232522326223272232822329223302233122332223332233422335223362233722338223392234022341223422234322344223452234622347223482234922350223512235222353223542235522356223572235822359223602236122362223632236422365223662236722368223692237022371223722237322374223752237622377223782237922380223812238222383223842238522386223872238822389223902239122392223932239422395223962239722398223992240022401224022240322404224052240622407224082240922410224112241222413224142241522416224172241822419224202242122422224232242422425224262242722428224292243022431224322243322434224352243622437224382243922440224412244222443224442244522446224472244822449224502245122452224532245422455224562245722458224592246022461224622246322464224652246622467224682246922470224712247222473224742247522476224772247822479224802248122482224832248422485224862248722488224892249022491224922249322494224952249622497224982249922500225012250222503225042250522506225072250822509225102251122512225132251422515225162251722518225192252022521225222252322524225252252622527225282252922530225312253222533225342253522536225372253822539225402254122542225432254422545225462254722548225492255022551225522255322554225552255622557225582255922560225612256222563225642256522566225672256822569225702257122572225732257422575225762257722578225792258022581225822258322584225852258622587225882258922590225912259222593225942259522596225972259822599226002260122602226032260422605226062260722608226092261022611226122261322614226152261622617226182261922620226212262222623226242262522626226272262822629226302263122632226332263422635226362263722638226392264022641226422264322644226452264622647226482264922650226512265222653226542265522656226572265822659226602266122662226632266422665226662266722668226692267022671226722267322674226752267622677226782267922680226812268222683226842268522686226872268822689226902269122692226932269422695226962269722698226992270022701227022270322704227052270622707227082270922710227112271222713227142271522716227172271822719227202272122722227232272422725227262272722728227292273022731227322273322734227352273622737227382273922740227412274222743227442274522746227472274822749227502275122752227532275422755227562275722758227592276022761227622276322764227652276622767227682276922770227712277222773227742277522776227772277822779227802278122782227832278422785227862278722788227892279022791227922279322794227952279622797227982279922800228012280222803228042280522806228072280822809228102281122812228132281422815228162281722818228192282022821228222282322824228252282622827228282282922830228312283222833228342283522836228372283822839228402284122842228432284422845228462284722848228492285022851228522285322854228552285622857228582285922860228612286222863228642286522866228672286822869228702287122872228732287422875228762287722878228792288022881228822288322884228852288622887228882288922890228912289222893228942289522896228972289822899229002290122902229032290422905229062290722908229092291022911229122291322914229152291622917229182291922920229212292222923229242292522926229272292822929229302293122932229332293422935229362293722938229392294022941229422294322944229452294622947229482294922950229512295222953229542295522956229572295822959229602296122962229632296422965229662296722968229692297022971229722297322974229752297622977229782297922980229812298222983229842298522986229872298822989229902299122992229932299422995229962299722998229992300023001230022300323004230052300623007230082300923010230112301223013230142301523016230172301823019230202302123022230232302423025230262302723028230292303023031230322303323034230352303623037230382303923040230412304223043230442304523046230472304823049230502305123052230532305423055230562305723058230592306023061230622306323064230652306623067230682306923070230712307223073230742307523076230772307823079230802308123082230832308423085230862308723088230892309023091230922309323094230952309623097230982309923100231012310223103231042310523106231072310823109231102311123112231132311423115231162311723118231192312023121231222312323124231252312623127231282312923130231312313223133231342313523136231372313823139231402314123142231432314423145231462314723148231492315023151231522315323154231552315623157231582315923160231612316223163231642316523166231672316823169231702317123172231732317423175231762317723178231792318023181231822318323184231852318623187231882318923190231912319223193231942319523196231972319823199232002320123202232032320423205232062320723208232092321023211232122321323214232152321623217232182321923220232212322223223232242322523226232272322823229232302323123232232332323423235232362323723238232392324023241232422324323244232452324623247232482324923250232512325223253232542325523256232572325823259232602326123262232632326423265232662326723268232692327023271232722327323274232752327623277232782327923280232812328223283232842328523286232872328823289232902329123292232932329423295232962329723298232992330023301233022330323304233052330623307233082330923310233112331223313233142331523316233172331823319233202332123322233232332423325233262332723328233292333023331233322333323334233352333623337233382333923340233412334223343233442334523346233472334823349233502335123352233532335423355233562335723358233592336023361233622336323364233652336623367233682336923370233712337223373233742337523376233772337823379233802338123382233832338423385233862338723388233892339023391233922339323394233952339623397233982339923400234012340223403234042340523406234072340823409234102341123412234132341423415234162341723418234192342023421234222342323424234252342623427234282342923430234312343223433234342343523436234372343823439234402344123442234432344423445234462344723448234492345023451234522345323454234552345623457234582345923460234612346223463234642346523466234672346823469234702347123472234732347423475234762347723478234792348023481234822348323484234852348623487234882348923490234912349223493234942349523496234972349823499235002350123502235032350423505235062350723508235092351023511235122351323514235152351623517235182351923520235212352223523235242352523526235272352823529235302353123532235332353423535235362353723538235392354023541235422354323544235452354623547235482354923550235512355223553235542355523556235572355823559235602356123562235632356423565235662356723568235692357023571235722357323574235752357623577235782357923580235812358223583235842358523586235872358823589235902359123592235932359423595235962359723598235992360023601236022360323604236052360623607236082360923610236112361223613236142361523616236172361823619236202362123622236232362423625236262362723628236292363023631236322363323634236352363623637236382363923640236412364223643236442364523646236472364823649236502365123652236532365423655236562365723658236592366023661236622366323664236652366623667236682366923670236712367223673236742367523676236772367823679236802368123682236832368423685236862368723688236892369023691236922369323694236952369623697236982369923700237012370223703237042370523706237072370823709237102371123712237132371423715237162371723718237192372023721237222372323724237252372623727237282372923730237312373223733237342373523736237372373823739237402374123742237432374423745237462374723748237492375023751237522375323754237552375623757237582375923760237612376223763237642376523766237672376823769237702377123772237732377423775237762377723778237792378023781237822378323784237852378623787237882378923790237912379223793237942379523796237972379823799238002380123802238032380423805238062380723808238092381023811238122381323814238152381623817238182381923820238212382223823238242382523826238272382823829238302383123832238332383423835238362383723838238392384023841238422384323844238452384623847238482384923850238512385223853238542385523856238572385823859238602386123862238632386423865238662386723868238692387023871238722387323874238752387623877238782387923880238812388223883238842388523886238872388823889238902389123892238932389423895238962389723898238992390023901239022390323904239052390623907239082390923910239112391223913239142391523916239172391823919239202392123922239232392423925239262392723928239292393023931239322393323934239352393623937239382393923940239412394223943239442394523946239472394823949239502395123952239532395423955239562395723958239592396023961239622396323964239652396623967239682396923970239712397223973239742397523976239772397823979239802398123982239832398423985239862398723988239892399023991239922399323994239952399623997239982399924000240012400224003240042400524006240072400824009240102401124012240132401424015240162401724018240192402024021240222402324024240252402624027240282402924030240312403224033240342403524036240372403824039240402404124042240432404424045240462404724048240492405024051240522405324054240552405624057240582405924060240612406224063240642406524066240672406824069240702407124072240732407424075240762407724078240792408024081240822408324084240852408624087240882408924090240912409224093240942409524096240972409824099241002410124102241032410424105241062410724108241092411024111241122411324114241152411624117241182411924120241212412224123241242412524126241272412824129241302413124132241332413424135241362413724138241392414024141241422414324144241452414624147241482414924150241512415224153241542415524156241572415824159241602416124162241632416424165241662416724168241692417024171241722417324174241752417624177241782417924180241812418224183241842418524186241872418824189241902419124192241932419424195241962419724198241992420024201242022420324204242052420624207242082420924210242112421224213242142421524216242172421824219242202422124222242232422424225242262422724228242292423024231242322423324234242352423624237242382423924240242412424224243242442424524246242472424824249242502425124252242532425424255242562425724258242592426024261242622426324264242652426624267242682426924270242712427224273242742427524276242772427824279242802428124282242832428424285242862428724288242892429024291242922429324294242952429624297242982429924300243012430224303243042430524306243072430824309243102431124312243132431424315243162431724318243192432024321243222432324324243252432624327243282432924330243312433224333243342433524336243372433824339243402434124342243432434424345243462434724348243492435024351243522435324354243552435624357243582435924360243612436224363243642436524366243672436824369243702437124372243732437424375243762437724378243792438024381243822438324384243852438624387243882438924390243912439224393243942439524396243972439824399244002440124402244032440424405244062440724408244092441024411244122441324414244152441624417244182441924420244212442224423244242442524426244272442824429244302443124432244332443424435244362443724438244392444024441244422444324444244452444624447244482444924450244512445224453244542445524456244572445824459244602446124462244632446424465244662446724468244692447024471244722447324474244752447624477244782447924480244812448224483244842448524486244872448824489244902449124492244932449424495244962449724498244992450024501245022450324504245052450624507245082450924510245112451224513245142451524516245172451824519245202452124522245232452424525245262452724528245292453024531245322453324534245352453624537245382453924540245412454224543245442454524546245472454824549245502455124552245532455424555245562455724558245592456024561245622456324564245652456624567245682456924570245712457224573245742457524576245772457824579245802458124582245832458424585245862458724588245892459024591245922459324594245952459624597245982459924600246012460224603246042460524606246072460824609246102461124612246132461424615246162461724618246192462024621246222462324624246252462624627246282462924630246312463224633246342463524636246372463824639246402464124642246432464424645246462464724648246492465024651246522465324654246552465624657246582465924660246612466224663246642466524666246672466824669246702467124672246732467424675246762467724678246792468024681246822468324684246852468624687246882468924690246912469224693246942469524696246972469824699247002470124702247032470424705247062470724708247092471024711247122471324714247152471624717247182471924720247212472224723247242472524726247272472824729247302473124732247332473424735247362473724738247392474024741247422474324744247452474624747247482474924750247512475224753247542475524756247572475824759247602476124762247632476424765247662476724768247692477024771247722477324774247752477624777247782477924780247812478224783247842478524786247872478824789247902479124792247932479424795247962479724798247992480024801248022480324804248052480624807248082480924810248112481224813248142481524816248172481824819248202482124822248232482424825248262482724828248292483024831248322483324834248352483624837248382483924840248412484224843248442484524846248472484824849248502485124852248532485424855248562485724858248592486024861248622486324864248652486624867248682486924870248712487224873248742487524876248772487824879248802488124882248832488424885248862488724888248892489024891248922489324894248952489624897248982489924900249012490224903249042490524906249072490824909249102491124912249132491424915249162491724918249192492024921249222492324924249252492624927249282492924930249312493224933249342493524936249372493824939249402494124942249432494424945249462494724948249492495024951249522495324954249552495624957249582495924960249612496224963249642496524966249672496824969249702497124972249732497424975249762497724978249792498024981249822498324984249852498624987249882498924990249912499224993249942499524996249972499824999250002500125002250032500425005250062500725008250092501025011250122501325014250152501625017250182501925020250212502225023250242502525026250272502825029250302503125032250332503425035250362503725038250392504025041250422504325044250452504625047250482504925050250512505225053250542505525056250572505825059250602506125062250632506425065250662506725068250692507025071250722507325074250752507625077250782507925080250812508225083250842508525086250872508825089250902509125092250932509425095250962509725098250992510025101251022510325104251052510625107251082510925110251112511225113251142511525116251172511825119251202512125122251232512425125251262512725128251292513025131251322513325134251352513625137251382513925140251412514225143251442514525146251472514825149251502515125152251532515425155251562515725158251592516025161251622516325164251652516625167251682516925170251712517225173251742517525176251772517825179251802518125182251832518425185251862518725188251892519025191251922519325194251952519625197251982519925200252012520225203252042520525206252072520825209252102521125212252132521425215252162521725218252192522025221252222522325224252252522625227252282522925230252312523225233252342523525236252372523825239252402524125242252432524425245252462524725248252492525025251252522525325254252552525625257252582525925260252612526225263252642526525266252672526825269252702527125272252732527425275252762527725278252792528025281252822528325284252852528625287252882528925290252912529225293252942529525296252972529825299253002530125302253032530425305253062530725308253092531025311253122531325314253152531625317253182531925320253212532225323253242532525326253272532825329253302533125332253332533425335253362533725338253392534025341253422534325344253452534625347253482534925350253512535225353253542535525356253572535825359253602536125362253632536425365253662536725368253692537025371253722537325374253752537625377253782537925380253812538225383253842538525386253872538825389253902539125392253932539425395253962539725398253992540025401254022540325404254052540625407254082540925410254112541225413254142541525416254172541825419254202542125422254232542425425254262542725428254292543025431254322543325434254352543625437254382543925440254412544225443254442544525446254472544825449254502545125452254532545425455254562545725458254592546025461254622546325464254652546625467254682546925470254712547225473254742547525476254772547825479254802548125482254832548425485254862548725488254892549025491254922549325494254952549625497254982549925500255012550225503255042550525506255072550825509255102551125512255132551425515255162551725518255192552025521255222552325524255252552625527255282552925530255312553225533255342553525536255372553825539255402554125542255432554425545255462554725548255492555025551255522555325554255552555625557255582555925560255612556225563255642556525566255672556825569255702557125572255732557425575255762557725578255792558025581255822558325584255852558625587255882558925590255912559225593255942559525596255972559825599256002560125602256032560425605256062560725608256092561025611256122561325614256152561625617256182561925620256212562225623256242562525626256272562825629256302563125632256332563425635256362563725638256392564025641256422564325644256452564625647256482564925650256512565225653256542565525656256572565825659256602566125662256632566425665256662566725668256692567025671256722567325674256752567625677256782567925680256812568225683256842568525686256872568825689256902569125692256932569425695256962569725698256992570025701257022570325704257052570625707257082570925710257112571225713257142571525716257172571825719257202572125722257232572425725257262572725728257292573025731257322573325734257352573625737257382573925740257412574225743257442574525746257472574825749257502575125752257532575425755257562575725758257592576025761257622576325764257652576625767257682576925770257712577225773257742577525776257772577825779257802578125782257832578425785257862578725788257892579025791257922579325794257952579625797257982579925800258012580225803258042580525806258072580825809258102581125812258132581425815258162581725818258192582025821258222582325824258252582625827258282582925830258312583225833258342583525836258372583825839258402584125842258432584425845258462584725848258492585025851258522585325854258552585625857258582585925860258612586225863258642586525866258672586825869258702587125872258732587425875258762587725878258792588025881258822588325884258852588625887258882588925890258912589225893258942589525896258972589825899259002590125902259032590425905259062590725908259092591025911259122591325914259152591625917259182591925920259212592225923259242592525926259272592825929259302593125932259332593425935259362593725938259392594025941259422594325944259452594625947259482594925950259512595225953259542595525956259572595825959259602596125962259632596425965259662596725968259692597025971259722597325974259752597625977259782597925980259812598225983259842598525986259872598825989259902599125992259932599425995259962599725998259992600026001260022600326004260052600626007260082600926010260112601226013260142601526016260172601826019260202602126022260232602426025260262602726028260292603026031260322603326034260352603626037260382603926040260412604226043260442604526046260472604826049260502605126052260532605426055260562605726058260592606026061260622606326064260652606626067260682606926070260712607226073260742607526076260772607826079260802608126082260832608426085260862608726088260892609026091260922609326094260952609626097260982609926100261012610226103261042610526106261072610826109261102611126112261132611426115261162611726118261192612026121261222612326124261252612626127261282612926130261312613226133261342613526136261372613826139261402614126142261432614426145261462614726148261492615026151261522615326154261552615626157261582615926160261612616226163261642616526166261672616826169261702617126172261732617426175261762617726178261792618026181261822618326184261852618626187261882618926190261912619226193261942619526196261972619826199262002620126202262032620426205262062620726208262092621026211262122621326214262152621626217262182621926220262212622226223262242622526226262272622826229262302623126232262332623426235262362623726238262392624026241262422624326244262452624626247262482624926250262512625226253262542625526256262572625826259262602626126262262632626426265262662626726268262692627026271262722627326274262752627626277262782627926280262812628226283262842628526286262872628826289262902629126292262932629426295262962629726298262992630026301263022630326304263052630626307263082630926310263112631226313263142631526316263172631826319263202632126322263232632426325263262632726328263292633026331263322633326334263352633626337263382633926340263412634226343263442634526346263472634826349263502635126352263532635426355263562635726358263592636026361263622636326364263652636626367263682636926370263712637226373263742637526376263772637826379263802638126382263832638426385263862638726388263892639026391263922639326394263952639626397263982639926400264012640226403264042640526406264072640826409264102641126412264132641426415264162641726418264192642026421264222642326424264252642626427264282642926430264312643226433264342643526436264372643826439264402644126442264432644426445264462644726448264492645026451264522645326454264552645626457264582645926460264612646226463264642646526466264672646826469264702647126472264732647426475264762647726478264792648026481264822648326484264852648626487264882648926490264912649226493264942649526496264972649826499265002650126502265032650426505265062650726508265092651026511265122651326514265152651626517265182651926520265212652226523265242652526526265272652826529265302653126532265332653426535265362653726538265392654026541265422654326544265452654626547265482654926550265512655226553265542655526556265572655826559265602656126562265632656426565265662656726568265692657026571265722657326574265752657626577265782657926580265812658226583265842658526586265872658826589265902659126592265932659426595265962659726598265992660026601266022660326604266052660626607266082660926610266112661226613266142661526616266172661826619266202662126622266232662426625266262662726628266292663026631266322663326634266352663626637266382663926640266412664226643266442664526646266472664826649266502665126652266532665426655266562665726658266592666026661266622666326664266652666626667266682666926670266712667226673266742667526676266772667826679266802668126682266832668426685266862668726688266892669026691266922669326694266952669626697266982669926700267012670226703267042670526706267072670826709267102671126712267132671426715267162671726718267192672026721267222672326724267252672626727267282672926730267312673226733267342673526736267372673826739267402674126742267432674426745267462674726748267492675026751267522675326754267552675626757267582675926760267612676226763267642676526766267672676826769267702677126772267732677426775267762677726778267792678026781267822678326784267852678626787267882678926790267912679226793267942679526796267972679826799268002680126802268032680426805268062680726808268092681026811268122681326814268152681626817268182681926820268212682226823268242682526826268272682826829268302683126832268332683426835268362683726838268392684026841268422684326844268452684626847268482684926850268512685226853268542685526856268572685826859268602686126862268632686426865268662686726868268692687026871268722687326874268752687626877268782687926880268812688226883268842688526886268872688826889268902689126892268932689426895268962689726898268992690026901269022690326904269052690626907269082690926910269112691226913269142691526916269172691826919269202692126922269232692426925269262692726928269292693026931269322693326934269352693626937269382693926940269412694226943269442694526946269472694826949269502695126952269532695426955269562695726958269592696026961269622696326964269652696626967269682696926970269712697226973269742697526976269772697826979269802698126982269832698426985269862698726988269892699026991269922699326994269952699626997269982699927000270012700227003270042700527006270072700827009270102701127012270132701427015270162701727018270192702027021270222702327024270252702627027270282702927030270312703227033270342703527036270372703827039270402704127042270432704427045270462704727048270492705027051270522705327054270552705627057270582705927060270612706227063270642706527066270672706827069270702707127072270732707427075270762707727078270792708027081270822708327084270852708627087270882708927090270912709227093270942709527096270972709827099271002710127102271032710427105271062710727108271092711027111271122711327114271152711627117271182711927120271212712227123271242712527126271272712827129271302713127132271332713427135271362713727138271392714027141271422714327144271452714627147271482714927150271512715227153271542715527156271572715827159271602716127162271632716427165271662716727168271692717027171271722717327174271752717627177271782717927180271812718227183271842718527186271872718827189271902719127192271932719427195271962719727198271992720027201272022720327204272052720627207272082720927210272112721227213272142721527216272172721827219272202722127222272232722427225272262722727228272292723027231272322723327234272352723627237272382723927240272412724227243272442724527246272472724827249272502725127252272532725427255272562725727258272592726027261272622726327264272652726627267272682726927270272712727227273272742727527276272772727827279272802728127282272832728427285272862728727288272892729027291272922729327294272952729627297272982729927300273012730227303273042730527306273072730827309273102731127312273132731427315273162731727318273192732027321273222732327324273252732627327273282732927330273312733227333273342733527336273372733827339273402734127342273432734427345273462734727348273492735027351273522735327354273552735627357273582735927360273612736227363273642736527366273672736827369273702737127372273732737427375273762737727378273792738027381273822738327384273852738627387273882738927390273912739227393273942739527396273972739827399274002740127402274032740427405274062740727408274092741027411274122741327414274152741627417274182741927420274212742227423274242742527426274272742827429274302743127432274332743427435274362743727438274392744027441274422744327444274452744627447274482744927450274512745227453274542745527456274572745827459274602746127462274632746427465274662746727468274692747027471274722747327474274752747627477274782747927480274812748227483274842748527486274872748827489274902749127492274932749427495274962749727498274992750027501275022750327504275052750627507275082750927510275112751227513275142751527516275172751827519275202752127522275232752427525275262752727528275292753027531275322753327534275352753627537275382753927540275412754227543275442754527546275472754827549275502755127552275532755427555275562755727558275592756027561275622756327564275652756627567275682756927570275712757227573275742757527576275772757827579275802758127582275832758427585275862758727588275892759027591275922759327594275952759627597275982759927600276012760227603276042760527606276072760827609276102761127612276132761427615276162761727618276192762027621276222762327624276252762627627276282762927630276312763227633276342763527636276372763827639276402764127642276432764427645276462764727648276492765027651276522765327654276552765627657276582765927660276612766227663276642766527666276672766827669276702767127672276732767427675276762767727678276792768027681276822768327684276852768627687276882768927690276912769227693276942769527696276972769827699277002770127702277032770427705277062770727708277092771027711277122771327714277152771627717277182771927720277212772227723277242772527726277272772827729277302773127732277332773427735277362773727738277392774027741277422774327744277452774627747277482774927750277512775227753277542775527756277572775827759277602776127762277632776427765277662776727768277692777027771277722777327774277752777627777277782777927780277812778227783277842778527786277872778827789277902779127792277932779427795277962779727798277992780027801278022780327804278052780627807278082780927810278112781227813278142781527816278172781827819278202782127822278232782427825278262782727828278292783027831278322783327834278352783627837278382783927840278412784227843278442784527846278472784827849278502785127852278532785427855278562785727858278592786027861278622786327864278652786627867278682786927870278712787227873278742787527876278772787827879278802788127882278832788427885278862788727888278892789027891278922789327894278952789627897278982789927900279012790227903279042790527906279072790827909279102791127912279132791427915279162791727918279192792027921279222792327924279252792627927279282792927930279312793227933279342793527936279372793827939279402794127942279432794427945279462794727948279492795027951279522795327954279552795627957279582795927960279612796227963279642796527966279672796827969279702797127972279732797427975279762797727978279792798027981279822798327984279852798627987279882798927990279912799227993279942799527996279972799827999280002800128002280032800428005280062800728008280092801028011280122801328014280152801628017280182801928020280212802228023280242802528026280272802828029280302803128032280332803428035280362803728038280392804028041280422804328044280452804628047280482804928050280512805228053280542805528056280572805828059280602806128062280632806428065280662806728068280692807028071280722807328074280752807628077280782807928080280812808228083280842808528086280872808828089280902809128092280932809428095280962809728098280992810028101281022810328104281052810628107281082810928110281112811228113281142811528116281172811828119281202812128122281232812428125281262812728128281292813028131281322813328134281352813628137281382813928140281412814228143281442814528146281472814828149281502815128152281532815428155281562815728158281592816028161281622816328164281652816628167281682816928170281712817228173281742817528176281772817828179281802818128182281832818428185281862818728188281892819028191281922819328194281952819628197281982819928200282012820228203282042820528206282072820828209282102821128212282132821428215282162821728218282192822028221282222822328224282252822628227282282822928230282312823228233282342823528236282372823828239282402824128242282432824428245282462824728248282492825028251282522825328254282552825628257282582825928260282612826228263282642826528266282672826828269282702827128272282732827428275282762827728278282792828028281282822828328284282852828628287282882828928290282912829228293282942829528296282972829828299283002830128302283032830428305283062830728308283092831028311283122831328314283152831628317283182831928320283212832228323283242832528326283272832828329283302833128332283332833428335283362833728338283392834028341283422834328344283452834628347283482834928350283512835228353283542835528356283572835828359283602836128362283632836428365283662836728368283692837028371283722837328374283752837628377283782837928380283812838228383283842838528386283872838828389283902839128392283932839428395283962839728398283992840028401284022840328404284052840628407284082840928410284112841228413284142841528416284172841828419284202842128422284232842428425284262842728428284292843028431284322843328434284352843628437284382843928440284412844228443284442844528446284472844828449284502845128452284532845428455284562845728458284592846028461284622846328464284652846628467284682846928470284712847228473284742847528476284772847828479284802848128482284832848428485284862848728488284892849028491284922849328494284952849628497284982849928500285012850228503285042850528506285072850828509285102851128512285132851428515285162851728518285192852028521285222852328524285252852628527285282852928530285312853228533285342853528536285372853828539285402854128542285432854428545285462854728548285492855028551285522855328554285552855628557285582855928560285612856228563285642856528566285672856828569285702857128572285732857428575285762857728578285792858028581285822858328584285852858628587285882858928590285912859228593285942859528596285972859828599286002860128602286032860428605286062860728608286092861028611286122861328614286152861628617286182861928620286212862228623286242862528626286272862828629286302863128632286332863428635286362863728638286392864028641286422864328644286452864628647286482864928650286512865228653286542865528656286572865828659286602866128662286632866428665286662866728668286692867028671286722867328674286752867628677286782867928680286812868228683286842868528686286872868828689286902869128692286932869428695286962869728698286992870028701287022870328704287052870628707287082870928710287112871228713287142871528716287172871828719287202872128722287232872428725287262872728728287292873028731287322873328734287352873628737287382873928740287412874228743287442874528746287472874828749287502875128752287532875428755287562875728758287592876028761287622876328764287652876628767287682876928770287712877228773287742877528776287772877828779287802878128782287832878428785287862878728788287892879028791287922879328794287952879628797287982879928800288012880228803288042880528806288072880828809288102881128812288132881428815288162881728818288192882028821288222882328824288252882628827288282882928830288312883228833288342883528836288372883828839288402884128842288432884428845288462884728848288492885028851288522885328854288552885628857288582885928860288612886228863288642886528866288672886828869288702887128872288732887428875288762887728878288792888028881288822888328884288852888628887288882888928890288912889228893288942889528896288972889828899289002890128902289032890428905289062890728908289092891028911289122891328914289152891628917289182891928920289212892228923289242892528926289272892828929289302893128932289332893428935289362893728938289392894028941289422894328944289452894628947289482894928950289512895228953289542895528956289572895828959289602896128962289632896428965289662896728968289692897028971289722897328974289752897628977289782897928980289812898228983289842898528986289872898828989289902899128992289932899428995289962899728998289992900029001290022900329004290052900629007290082900929010290112901229013290142901529016290172901829019290202902129022290232902429025290262902729028290292903029031290322903329034290352903629037290382903929040290412904229043290442904529046290472904829049290502905129052290532905429055290562905729058290592906029061290622906329064290652906629067290682906929070290712907229073290742907529076290772907829079290802908129082290832908429085290862908729088290892909029091290922909329094290952909629097290982909929100291012910229103291042910529106291072910829109291102911129112291132911429115291162911729118291192912029121291222912329124291252912629127291282912929130291312913229133291342913529136291372913829139291402914129142291432914429145291462914729148291492915029151291522915329154291552915629157291582915929160291612916229163291642916529166291672916829169291702917129172291732917429175291762917729178291792918029181291822918329184291852918629187291882918929190291912919229193291942919529196291972919829199292002920129202292032920429205292062920729208292092921029211292122921329214292152921629217292182921929220292212922229223292242922529226292272922829229292302923129232292332923429235292362923729238292392924029241292422924329244292452924629247292482924929250292512925229253292542925529256292572925829259292602926129262292632926429265292662926729268292692927029271292722927329274292752927629277292782927929280292812928229283292842928529286292872928829289292902929129292292932929429295292962929729298292992930029301293022930329304293052930629307293082930929310293112931229313293142931529316293172931829319293202932129322293232932429325293262932729328293292933029331293322933329334293352933629337293382933929340293412934229343293442934529346293472934829349293502935129352293532935429355293562935729358293592936029361293622936329364293652936629367293682936929370293712937229373293742937529376293772937829379293802938129382293832938429385293862938729388293892939029391293922939329394293952939629397293982939929400294012940229403294042940529406294072940829409294102941129412294132941429415294162941729418294192942029421294222942329424294252942629427294282942929430294312943229433294342943529436294372943829439294402944129442294432944429445294462944729448294492945029451294522945329454294552945629457294582945929460294612946229463294642946529466294672946829469294702947129472294732947429475294762947729478294792948029481294822948329484294852948629487294882948929490294912949229493294942949529496294972949829499295002950129502295032950429505295062950729508295092951029511295122951329514295152951629517295182951929520295212952229523295242952529526295272952829529295302953129532295332953429535295362953729538295392954029541295422954329544295452954629547295482954929550295512955229553295542955529556295572955829559295602956129562295632956429565295662956729568295692957029571295722957329574295752957629577295782957929580295812958229583295842958529586295872958829589295902959129592295932959429595295962959729598295992960029601296022960329604296052960629607296082960929610296112961229613296142961529616296172961829619296202962129622296232962429625296262962729628296292963029631296322963329634296352963629637296382963929640296412964229643296442964529646296472964829649296502965129652296532965429655296562965729658296592966029661296622966329664296652966629667296682966929670296712967229673296742967529676296772967829679296802968129682296832968429685296862968729688296892969029691296922969329694296952969629697296982969929700297012970229703297042970529706297072970829709297102971129712297132971429715297162971729718297192972029721297222972329724297252972629727297282972929730297312973229733297342973529736297372973829739297402974129742297432974429745297462974729748297492975029751297522975329754297552975629757297582975929760297612976229763297642976529766297672976829769297702977129772297732977429775297762977729778297792978029781297822978329784297852978629787297882978929790297912979229793297942979529796297972979829799298002980129802298032980429805298062980729808298092981029811298122981329814298152981629817298182981929820298212982229823298242982529826298272982829829298302983129832298332983429835298362983729838298392984029841298422984329844298452984629847298482984929850298512985229853298542985529856298572985829859298602986129862298632986429865298662986729868298692987029871298722987329874298752987629877298782987929880298812988229883298842988529886298872988829889298902989129892298932989429895298962989729898298992990029901299022990329904299052990629907299082990929910299112991229913299142991529916299172991829919299202992129922299232992429925299262992729928299292993029931299322993329934299352993629937299382993929940299412994229943299442994529946299472994829949299502995129952299532995429955299562995729958299592996029961299622996329964299652996629967299682996929970299712997229973299742997529976299772997829979299802998129982299832998429985299862998729988299892999029991299922999329994299952999629997299982999930000300013000230003300043000530006300073000830009300103001130012300133001430015300163001730018300193002030021300223002330024300253002630027300283002930030300313003230033300343003530036300373003830039300403004130042300433004430045300463004730048300493005030051300523005330054300553005630057300583005930060300613006230063300643006530066300673006830069300703007130072300733007430075300763007730078300793008030081300823008330084300853008630087300883008930090300913009230093300943009530096300973009830099301003010130102301033010430105301063010730108301093011030111301123011330114301153011630117301183011930120301213012230123301243012530126301273012830129301303013130132301333013430135301363013730138301393014030141301423014330144301453014630147301483014930150301513015230153301543015530156301573015830159301603016130162301633016430165301663016730168301693017030171301723017330174301753017630177301783017930180301813018230183301843018530186301873018830189301903019130192301933019430195301963019730198301993020030201302023020330204302053020630207302083020930210302113021230213302143021530216302173021830219302203022130222302233022430225302263022730228302293023030231302323023330234302353023630237302383023930240302413024230243302443024530246302473024830249302503025130252302533025430255302563025730258302593026030261302623026330264302653026630267302683026930270302713027230273302743027530276302773027830279302803028130282302833028430285302863028730288302893029030291302923029330294302953029630297302983029930300303013030230303303043030530306303073030830309303103031130312303133031430315303163031730318303193032030321303223032330324303253032630327303283032930330303313033230333303343033530336303373033830339303403034130342303433034430345303463034730348303493035030351303523035330354303553035630357303583035930360303613036230363303643036530366303673036830369303703037130372303733037430375303763037730378303793038030381303823038330384303853038630387303883038930390303913039230393303943039530396303973039830399304003040130402304033040430405304063040730408304093041030411304123041330414304153041630417304183041930420304213042230423304243042530426304273042830429304303043130432304333043430435304363043730438304393044030441304423044330444304453044630447304483044930450304513045230453304543045530456304573045830459304603046130462304633046430465304663046730468304693047030471304723047330474304753047630477304783047930480304813048230483304843048530486304873048830489304903049130492304933049430495304963049730498304993050030501305023050330504305053050630507305083050930510305113051230513305143051530516305173051830519305203052130522305233052430525305263052730528305293053030531305323053330534305353053630537305383053930540305413054230543305443054530546305473054830549305503055130552305533055430555305563055730558305593056030561305623056330564305653056630567305683056930570305713057230573305743057530576305773057830579305803058130582305833058430585305863058730588305893059030591305923059330594305953059630597305983059930600306013060230603306043060530606306073060830609306103061130612306133061430615306163061730618306193062030621306223062330624306253062630627306283062930630306313063230633306343063530636306373063830639306403064130642306433064430645306463064730648306493065030651306523065330654306553065630657306583065930660306613066230663306643066530666306673066830669306703067130672306733067430675306763067730678306793068030681306823068330684306853068630687306883068930690306913069230693306943069530696306973069830699307003070130702307033070430705307063070730708307093071030711307123071330714307153071630717307183071930720307213072230723307243072530726307273072830729307303073130732307333073430735307363073730738307393074030741307423074330744307453074630747307483074930750307513075230753307543075530756307573075830759307603076130762307633076430765307663076730768307693077030771307723077330774307753077630777307783077930780307813078230783307843078530786307873078830789307903079130792307933079430795307963079730798307993080030801308023080330804308053080630807308083080930810308113081230813308143081530816308173081830819308203082130822308233082430825308263082730828308293083030831308323083330834308353083630837308383083930840308413084230843308443084530846308473084830849308503085130852308533085430855308563085730858308593086030861308623086330864308653086630867308683086930870308713087230873308743087530876308773087830879308803088130882308833088430885308863088730888308893089030891308923089330894308953089630897308983089930900309013090230903309043090530906309073090830909309103091130912309133091430915309163091730918309193092030921309223092330924309253092630927309283092930930309313093230933309343093530936309373093830939309403094130942309433094430945309463094730948309493095030951309523095330954309553095630957309583095930960309613096230963309643096530966309673096830969309703097130972309733097430975309763097730978309793098030981309823098330984309853098630987309883098930990309913099230993309943099530996309973099830999310003100131002310033100431005310063100731008310093101031011310123101331014310153101631017310183101931020310213102231023310243102531026310273102831029310303103131032310333103431035310363103731038310393104031041310423104331044310453104631047310483104931050310513105231053310543105531056310573105831059310603106131062310633106431065310663106731068310693107031071310723107331074310753107631077310783107931080310813108231083310843108531086310873108831089310903109131092310933109431095310963109731098310993110031101311023110331104311053110631107311083110931110311113111231113311143111531116311173111831119311203112131122311233112431125311263112731128311293113031131311323113331134311353113631137311383113931140311413114231143311443114531146311473114831149311503115131152311533115431155311563115731158311593116031161311623116331164311653116631167311683116931170311713117231173311743117531176311773117831179311803118131182311833118431185311863118731188311893119031191311923119331194311953119631197311983119931200312013120231203312043120531206312073120831209312103121131212312133121431215312163121731218312193122031221312223122331224312253122631227312283122931230312313123231233312343123531236312373123831239312403124131242312433124431245312463124731248312493125031251312523125331254312553125631257312583125931260312613126231263312643126531266312673126831269312703127131272312733127431275312763127731278312793128031281312823128331284312853128631287312883128931290312913129231293312943129531296312973129831299313003130131302313033130431305313063130731308313093131031311313123131331314313153131631317313183131931320313213132231323313243132531326313273132831329313303133131332313333133431335313363133731338313393134031341313423134331344313453134631347313483134931350313513135231353313543135531356313573135831359313603136131362313633136431365313663136731368313693137031371313723137331374313753137631377313783137931380313813138231383313843138531386313873138831389313903139131392313933139431395313963139731398313993140031401314023140331404314053140631407314083140931410314113141231413314143141531416314173141831419314203142131422314233142431425314263142731428314293143031431314323143331434314353143631437314383143931440314413144231443314443144531446314473144831449314503145131452314533145431455314563145731458314593146031461314623146331464314653146631467314683146931470314713147231473314743147531476314773147831479314803148131482314833148431485314863148731488314893149031491314923149331494314953149631497314983149931500315013150231503315043150531506315073150831509315103151131512315133151431515315163151731518315193152031521315223152331524315253152631527315283152931530315313153231533315343153531536315373153831539315403154131542315433154431545315463154731548315493155031551315523155331554315553155631557315583155931560315613156231563315643156531566315673156831569315703157131572315733157431575315763157731578315793158031581315823158331584315853158631587315883158931590315913159231593315943159531596315973159831599316003160131602316033160431605316063160731608316093161031611316123161331614316153161631617316183161931620316213162231623316243162531626316273162831629316303163131632316333163431635316363163731638316393164031641316423164331644316453164631647316483164931650316513165231653316543165531656316573165831659316603166131662316633166431665316663166731668316693167031671316723167331674316753167631677316783167931680316813168231683
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  118. enum:
  119. - Ignore
  120. - Fail
  121. type: string
  122. property:
  123. description: Used to select a specific property of the Provider value (if a map), if supported
  124. type: string
  125. version:
  126. description: Used to select a specific version of the Provider value, if supported
  127. type: string
  128. required:
  129. - key
  130. type: object
  131. secretKey:
  132. description: The key in the Kubernetes Secret to store the value.
  133. maxLength: 253
  134. minLength: 1
  135. pattern: ^[-._a-zA-Z0-9]+$
  136. type: string
  137. sourceRef:
  138. description: |-
  139. SourceRef allows you to override the source
  140. from which the value will be pulled.
  141. maxProperties: 1
  142. minProperties: 1
  143. properties:
  144. generatorRef:
  145. description: |-
  146. GeneratorRef points to a generator custom resource.
  147. Deprecated: The generatorRef is not implemented in .data[].
  148. this will be removed with v1.
  149. properties:
  150. apiVersion:
  151. default: generators.external-secrets.io/v1alpha1
  152. description: Specify the apiVersion of the generator resource
  153. type: string
  154. kind:
  155. description: Specify the Kind of the generator resource
  156. enum:
  157. - ACRAccessToken
  158. - BeyondtrustWorkloadCredentialsDynamicSecret
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - GitlabDeployToken
  166. - QuayAccessToken
  167. - Password
  168. - SSHKey
  169. - STSSessionToken
  170. - UUID
  171. - VaultDynamicSecret
  172. - Webhook
  173. - Grafana
  174. - MFA
  175. type: string
  176. name:
  177. description: Specify the name of the generator resource
  178. maxLength: 253
  179. minLength: 1
  180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  181. type: string
  182. required:
  183. - kind
  184. - name
  185. type: object
  186. storeRef:
  187. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  188. properties:
  189. kind:
  190. description: |-
  191. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  192. Defaults to `SecretStore`
  193. enum:
  194. - SecretStore
  195. - ClusterSecretStore
  196. type: string
  197. name:
  198. description: Name of the SecretStore resource
  199. maxLength: 253
  200. minLength: 1
  201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  202. type: string
  203. type: object
  204. type: object
  205. required:
  206. - remoteRef
  207. - secretKey
  208. type: object
  209. type: array
  210. dataFrom:
  211. description: |-
  212. DataFrom is used to fetch all properties from a specific Provider data
  213. If multiple entries are specified, the Secret keys are merged in the specified order
  214. items:
  215. description: |-
  216. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  217. when using DataFrom to fetch multiple values from a Provider.
  218. properties:
  219. extract:
  220. description: |-
  221. Used to extract multiple key/value pairs from one secret
  222. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  223. properties:
  224. conversionStrategy:
  225. default: Default
  226. description: Used to define a conversion Strategy
  227. enum:
  228. - Default
  229. - Unicode
  230. type: string
  231. decodingStrategy:
  232. default: None
  233. description: Used to define a decoding Strategy
  234. enum:
  235. - Auto
  236. - Base64
  237. - Base64URL
  238. - None
  239. type: string
  240. key:
  241. description: Key is the key used in the Provider, mandatory
  242. type: string
  243. metadataPolicy:
  244. default: None
  245. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  246. enum:
  247. - None
  248. - Fetch
  249. type: string
  250. nullBytePolicy:
  251. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  252. enum:
  253. - Ignore
  254. - Fail
  255. type: string
  256. property:
  257. description: Used to select a specific property of the Provider value (if a map), if supported
  258. type: string
  259. version:
  260. description: Used to select a specific version of the Provider value, if supported
  261. type: string
  262. required:
  263. - key
  264. type: object
  265. find:
  266. description: |-
  267. Used to find secrets based on tags or regular expressions
  268. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  269. properties:
  270. conversionStrategy:
  271. default: Default
  272. description: Used to define a conversion Strategy
  273. enum:
  274. - Default
  275. - Unicode
  276. type: string
  277. decodingStrategy:
  278. default: None
  279. description: Used to define a decoding Strategy
  280. enum:
  281. - Auto
  282. - Base64
  283. - Base64URL
  284. - None
  285. type: string
  286. name:
  287. description: Finds secrets based on the name.
  288. properties:
  289. regexp:
  290. description: Finds secrets base
  291. type: string
  292. type: object
  293. nullBytePolicy:
  294. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  295. enum:
  296. - Ignore
  297. - Fail
  298. type: string
  299. path:
  300. description: A root path to start the find operations.
  301. type: string
  302. tags:
  303. additionalProperties:
  304. type: string
  305. description: Find secrets based on tags.
  306. type: object
  307. type: object
  308. rewrite:
  309. description: |-
  310. Used to rewrite secret Keys after getting them from the secret Provider
  311. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  312. items:
  313. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  314. maxProperties: 1
  315. minProperties: 1
  316. properties:
  317. merge:
  318. description: |-
  319. Used to merge key/values in one single Secret
  320. The resulting key will contain all values from the specified secrets
  321. properties:
  322. conflictPolicy:
  323. default: Error
  324. description: Used to define the policy to use in conflict resolution.
  325. enum:
  326. - Ignore
  327. - Error
  328. type: string
  329. into:
  330. default: ""
  331. description: |-
  332. Used to define the target key of the merge operation.
  333. Required if strategy is JSON. Ignored otherwise.
  334. type: string
  335. priority:
  336. description: Used to define key priority in conflict resolution.
  337. items:
  338. type: string
  339. type: array
  340. priorityPolicy:
  341. default: Strict
  342. description: Used to define the policy when a key in the priority list does not exist in the input.
  343. enum:
  344. - IgnoreNotFound
  345. - Strict
  346. type: string
  347. strategy:
  348. default: Extract
  349. description: Used to define the strategy to use in the merge operation.
  350. enum:
  351. - Extract
  352. - JSON
  353. type: string
  354. type: object
  355. regexp:
  356. description: |-
  357. Used to rewrite with regular expressions.
  358. The resulting key will be the output of a regexp.ReplaceAll operation.
  359. properties:
  360. source:
  361. description: Used to define the regular expression of a re.Compiler.
  362. type: string
  363. target:
  364. description: Used to define the target pattern of a ReplaceAll operation.
  365. type: string
  366. required:
  367. - source
  368. - target
  369. type: object
  370. transform:
  371. description: |-
  372. Used to apply string transformation on the secrets.
  373. The resulting key will be the output of the template applied by the operation.
  374. properties:
  375. template:
  376. description: |-
  377. Used to define the template to apply on the secret name.
  378. `.value ` will specify the secret name in the template.
  379. type: string
  380. required:
  381. - template
  382. type: object
  383. type: object
  384. type: array
  385. sourceRef:
  386. description: |-
  387. SourceRef points to a store or generator
  388. which contains secret values ready to use.
  389. Use this in combination with Extract or Find pull values out of
  390. a specific SecretStore.
  391. When sourceRef points to a generator Extract or Find is not supported.
  392. The generator returns a static map of values
  393. maxProperties: 1
  394. minProperties: 1
  395. properties:
  396. generatorRef:
  397. description: GeneratorRef points to a generator custom resource.
  398. properties:
  399. apiVersion:
  400. default: generators.external-secrets.io/v1alpha1
  401. description: Specify the apiVersion of the generator resource
  402. type: string
  403. kind:
  404. description: Specify the Kind of the generator resource
  405. enum:
  406. - ACRAccessToken
  407. - BeyondtrustWorkloadCredentialsDynamicSecret
  408. - ClusterGenerator
  409. - CloudsmithAccessToken
  410. - ECRAuthorizationToken
  411. - Fake
  412. - GCRAccessToken
  413. - GithubAccessToken
  414. - GitlabDeployToken
  415. - QuayAccessToken
  416. - Password
  417. - SSHKey
  418. - STSSessionToken
  419. - UUID
  420. - VaultDynamicSecret
  421. - Webhook
  422. - Grafana
  423. - MFA
  424. type: string
  425. name:
  426. description: Specify the name of the generator resource
  427. maxLength: 253
  428. minLength: 1
  429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  430. type: string
  431. required:
  432. - kind
  433. - name
  434. type: object
  435. storeRef:
  436. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  437. properties:
  438. kind:
  439. description: |-
  440. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  441. Defaults to `SecretStore`
  442. enum:
  443. - SecretStore
  444. - ClusterSecretStore
  445. type: string
  446. name:
  447. description: Name of the SecretStore resource
  448. maxLength: 253
  449. minLength: 1
  450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  451. type: string
  452. type: object
  453. type: object
  454. type: object
  455. type: array
  456. refreshInterval:
  457. default: 1h0m0s
  458. description: |-
  459. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  460. specified as Golang Duration strings.
  461. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  462. Example values: "1h0m0s", "2h30m0s", "10m0s"
  463. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  464. type: string
  465. refreshPolicy:
  466. description: |-
  467. RefreshPolicy determines how the ExternalSecret should be refreshed:
  468. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  469. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  470. No periodic updates occur if refreshInterval is 0.
  471. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  472. enum:
  473. - CreatedOnce
  474. - Periodic
  475. - OnChange
  476. type: string
  477. secretStoreRef:
  478. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  479. properties:
  480. kind:
  481. description: |-
  482. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  483. Defaults to `SecretStore`
  484. enum:
  485. - SecretStore
  486. - ClusterSecretStore
  487. type: string
  488. name:
  489. description: Name of the SecretStore resource
  490. maxLength: 253
  491. minLength: 1
  492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  493. type: string
  494. type: object
  495. syncWindows:
  496. description: |-
  497. SyncWindows optionally restricts when periodic refreshes may occur.
  498. Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
  499. properties:
  500. kind:
  501. description: |-
  502. Kind applies to every window in the list.
  503. "allow" -- syncs are permitted only while at least one window is active;
  504. all other times are blocked.
  505. "deny" -- syncs are blocked while any window is active;
  506. all other times are permitted.
  507. enum:
  508. - allow
  509. - deny
  510. type: string
  511. windows:
  512. description: Windows is the list of schedule+duration pairs.
  513. items:
  514. description: |-
  515. ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
  516. within a SyncWindows block.
  517. properties:
  518. duration:
  519. description: |-
  520. Duration specifies how long the window stays open after each Schedule
  521. firing. Example: "8h".
  522. type: string
  523. schedule:
  524. description: |-
  525. Schedule is a standard 5-field cron expression evaluated in UTC, or a
  526. named shorthand such as @daily or @every 1h. It marks the start time of
  527. each window occurrence.
  528. Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
  529. minLength: 1
  530. pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$
  531. type: string
  532. required:
  533. - duration
  534. - schedule
  535. type: object
  536. minItems: 1
  537. type: array
  538. required:
  539. - kind
  540. - windows
  541. type: object
  542. target:
  543. default:
  544. creationPolicy: Owner
  545. deletionPolicy: Retain
  546. description: |-
  547. ExternalSecretTarget defines the Kubernetes Secret to be created,
  548. there can be only one target per ExternalSecret.
  549. properties:
  550. creationPolicy:
  551. default: Owner
  552. description: |-
  553. CreationPolicy defines rules on how to create the resulting Secret.
  554. Defaults to "Owner"
  555. enum:
  556. - Owner
  557. - Orphan
  558. - Merge
  559. - None
  560. type: string
  561. deletionPolicy:
  562. default: Retain
  563. description: |-
  564. DeletionPolicy defines rules on how to delete the resulting Secret.
  565. Defaults to "Retain"
  566. enum:
  567. - Delete
  568. - Merge
  569. - Retain
  570. type: string
  571. immutable:
  572. description: Immutable defines if the final secret will be immutable
  573. type: boolean
  574. manifest:
  575. description: |-
  576. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  577. When specified, ExternalSecret will create the resource type defined here
  578. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  579. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  580. properties:
  581. apiVersion:
  582. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  583. minLength: 1
  584. type: string
  585. kind:
  586. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  587. minLength: 1
  588. type: string
  589. required:
  590. - apiVersion
  591. - kind
  592. type: object
  593. name:
  594. description: |-
  595. The name of the Secret resource to be managed.
  596. Defaults to the .metadata.name of the ExternalSecret resource
  597. maxLength: 253
  598. minLength: 1
  599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  600. type: string
  601. template:
  602. description: Template defines a blueprint for the created Secret resource.
  603. properties:
  604. data:
  605. additionalProperties:
  606. type: string
  607. type: object
  608. engineVersion:
  609. default: v2
  610. description: |-
  611. EngineVersion specifies the template engine version
  612. that should be used to compile/execute the
  613. template specified in .data and .templateFrom[].
  614. enum:
  615. - v2
  616. type: string
  617. mergePolicy:
  618. default: Replace
  619. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  620. enum:
  621. - Replace
  622. - Merge
  623. type: string
  624. metadata:
  625. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  626. properties:
  627. annotations:
  628. additionalProperties:
  629. type: string
  630. type: object
  631. finalizers:
  632. items:
  633. type: string
  634. type: array
  635. labels:
  636. additionalProperties:
  637. type: string
  638. type: object
  639. type: object
  640. templateFrom:
  641. items:
  642. description: |-
  643. TemplateFrom specifies a source for templates.
  644. Each item in the list can either reference a ConfigMap or a Secret resource.
  645. properties:
  646. configMap:
  647. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  648. properties:
  649. items:
  650. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  651. items:
  652. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  653. properties:
  654. key:
  655. description: A key in the ConfigMap/Secret
  656. maxLength: 253
  657. minLength: 1
  658. pattern: ^[-._a-zA-Z0-9]+$
  659. type: string
  660. templateAs:
  661. default: Values
  662. description: TemplateScope specifies how the template keys should be interpreted.
  663. enum:
  664. - Values
  665. - KeysAndValues
  666. type: string
  667. required:
  668. - key
  669. type: object
  670. type: array
  671. name:
  672. description: The name of the ConfigMap/Secret resource
  673. maxLength: 253
  674. minLength: 1
  675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  676. type: string
  677. required:
  678. - items
  679. - name
  680. type: object
  681. literal:
  682. type: string
  683. secret:
  684. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  685. properties:
  686. items:
  687. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  688. items:
  689. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  690. properties:
  691. key:
  692. description: A key in the ConfigMap/Secret
  693. maxLength: 253
  694. minLength: 1
  695. pattern: ^[-._a-zA-Z0-9]+$
  696. type: string
  697. templateAs:
  698. default: Values
  699. description: TemplateScope specifies how the template keys should be interpreted.
  700. enum:
  701. - Values
  702. - KeysAndValues
  703. type: string
  704. required:
  705. - key
  706. type: object
  707. type: array
  708. name:
  709. description: The name of the ConfigMap/Secret resource
  710. maxLength: 253
  711. minLength: 1
  712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  713. type: string
  714. required:
  715. - items
  716. - name
  717. type: object
  718. target:
  719. default: Data
  720. description: |-
  721. Target specifies where to place the template result.
  722. For Secret resources, common values are: "Data", "Annotations", "Labels".
  723. For custom resources (when spec.target.manifest is set), this supports
  724. nested paths like "spec.database.config" or "data".
  725. type: string
  726. valuesDecodingStrategy:
  727. default: None
  728. description: Used to define a decoding Strategy for the rendered template values.
  729. enum:
  730. - Auto
  731. - Base64
  732. - Base64URL
  733. - None
  734. type: string
  735. type: object
  736. type: array
  737. type:
  738. type: string
  739. type: object
  740. type: object
  741. type: object
  742. namespaceSelector:
  743. description: |-
  744. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  745. Deprecated: Use NamespaceSelectors instead.
  746. properties:
  747. matchExpressions:
  748. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  749. items:
  750. description: |-
  751. A label selector requirement is a selector that contains values, a key, and an operator that
  752. relates the key and values.
  753. properties:
  754. key:
  755. description: key is the label key that the selector applies to.
  756. type: string
  757. operator:
  758. description: |-
  759. operator represents a key's relationship to a set of values.
  760. Valid operators are In, NotIn, Exists and DoesNotExist.
  761. type: string
  762. values:
  763. description: |-
  764. values is an array of string values. If the operator is In or NotIn,
  765. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  766. the values array must be empty. This array is replaced during a strategic
  767. merge patch.
  768. items:
  769. type: string
  770. type: array
  771. x-kubernetes-list-type: atomic
  772. required:
  773. - key
  774. - operator
  775. type: object
  776. type: array
  777. x-kubernetes-list-type: atomic
  778. matchLabels:
  779. additionalProperties:
  780. type: string
  781. description: |-
  782. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  783. map is equivalent to an element of matchExpressions, whose key field is "key", the
  784. operator is "In", and the values array contains only "value". The requirements are ANDed.
  785. type: object
  786. type: object
  787. x-kubernetes-map-type: atomic
  788. namespaceSelectors:
  789. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  790. items:
  791. description: |-
  792. A label selector is a label query over a set of resources. The result of matchLabels and
  793. matchExpressions are ANDed. An empty label selector matches all objects. A null
  794. label selector matches no objects.
  795. properties:
  796. matchExpressions:
  797. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  798. items:
  799. description: |-
  800. A label selector requirement is a selector that contains values, a key, and an operator that
  801. relates the key and values.
  802. properties:
  803. key:
  804. description: key is the label key that the selector applies to.
  805. type: string
  806. operator:
  807. description: |-
  808. operator represents a key's relationship to a set of values.
  809. Valid operators are In, NotIn, Exists and DoesNotExist.
  810. type: string
  811. values:
  812. description: |-
  813. values is an array of string values. If the operator is In or NotIn,
  814. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  815. the values array must be empty. This array is replaced during a strategic
  816. merge patch.
  817. items:
  818. type: string
  819. type: array
  820. x-kubernetes-list-type: atomic
  821. required:
  822. - key
  823. - operator
  824. type: object
  825. type: array
  826. x-kubernetes-list-type: atomic
  827. matchLabels:
  828. additionalProperties:
  829. type: string
  830. description: |-
  831. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  832. map is equivalent to an element of matchExpressions, whose key field is "key", the
  833. operator is "In", and the values array contains only "value". The requirements are ANDed.
  834. type: object
  835. type: object
  836. x-kubernetes-map-type: atomic
  837. type: array
  838. namespaces:
  839. description: |-
  840. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  841. Deprecated: Use NamespaceSelectors instead.
  842. items:
  843. maxLength: 63
  844. minLength: 1
  845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  846. type: string
  847. type: array
  848. refreshTime:
  849. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  850. type: string
  851. required:
  852. - externalSecretSpec
  853. type: object
  854. status:
  855. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  856. properties:
  857. conditions:
  858. items:
  859. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  860. properties:
  861. message:
  862. type: string
  863. status:
  864. type: string
  865. type:
  866. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  867. type: string
  868. required:
  869. - status
  870. - type
  871. type: object
  872. type: array
  873. externalSecretName:
  874. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  875. type: string
  876. failedNamespaces:
  877. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  878. items:
  879. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  880. properties:
  881. namespace:
  882. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  883. type: string
  884. reason:
  885. description: Reason is why the ExternalSecret failed to apply to the namespace
  886. type: string
  887. required:
  888. - namespace
  889. type: object
  890. type: array
  891. provisionedNamespaces:
  892. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  893. items:
  894. type: string
  895. type: array
  896. type: object
  897. type: object
  898. served: true
  899. storage: true
  900. subresources:
  901. status: {}
  902. - additionalPrinterColumns:
  903. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  904. name: Store
  905. type: string
  906. - jsonPath: .spec.refreshTime
  907. name: Refresh Interval
  908. type: string
  909. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  910. name: Ready
  911. type: string
  912. deprecated: true
  913. name: v1beta1
  914. schema:
  915. openAPIV3Schema:
  916. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  917. properties:
  918. apiVersion:
  919. description: |-
  920. APIVersion defines the versioned schema of this representation of an object.
  921. Servers should convert recognized schemas to the latest internal value, and
  922. may reject unrecognized values.
  923. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  924. type: string
  925. kind:
  926. description: |-
  927. Kind is a string value representing the REST resource this object represents.
  928. Servers may infer this from the endpoint the client submits requests to.
  929. Cannot be updated.
  930. In CamelCase.
  931. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  932. type: string
  933. metadata:
  934. type: object
  935. spec:
  936. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  937. properties:
  938. externalSecretMetadata:
  939. description: The metadata of the external secrets to be created
  940. properties:
  941. annotations:
  942. additionalProperties:
  943. type: string
  944. type: object
  945. labels:
  946. additionalProperties:
  947. type: string
  948. type: object
  949. type: object
  950. externalSecretName:
  951. description: |-
  952. The name of the external secrets to be created.
  953. Defaults to the name of the ClusterExternalSecret
  954. maxLength: 253
  955. minLength: 1
  956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  957. type: string
  958. externalSecretSpec:
  959. description: The spec for the ExternalSecrets to be created
  960. properties:
  961. data:
  962. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  963. items:
  964. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  965. properties:
  966. remoteRef:
  967. description: |-
  968. RemoteRef points to the remote secret and defines
  969. which secret (version/property/..) to fetch.
  970. properties:
  971. conversionStrategy:
  972. default: Default
  973. description: Used to define a conversion Strategy
  974. enum:
  975. - Default
  976. - Unicode
  977. type: string
  978. decodingStrategy:
  979. default: None
  980. description: Used to define a decoding Strategy
  981. enum:
  982. - Auto
  983. - Base64
  984. - Base64URL
  985. - None
  986. type: string
  987. key:
  988. description: Key is the key used in the Provider, mandatory
  989. type: string
  990. metadataPolicy:
  991. default: None
  992. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  993. enum:
  994. - None
  995. - Fetch
  996. type: string
  997. property:
  998. description: Used to select a specific property of the Provider value (if a map), if supported
  999. type: string
  1000. version:
  1001. description: Used to select a specific version of the Provider value, if supported
  1002. type: string
  1003. required:
  1004. - key
  1005. type: object
  1006. secretKey:
  1007. description: The key in the Kubernetes Secret to store the value.
  1008. maxLength: 253
  1009. minLength: 1
  1010. pattern: ^[-._a-zA-Z0-9]+$
  1011. type: string
  1012. sourceRef:
  1013. description: |-
  1014. SourceRef allows you to override the source
  1015. from which the value will be pulled.
  1016. maxProperties: 1
  1017. minProperties: 1
  1018. properties:
  1019. generatorRef:
  1020. description: |-
  1021. GeneratorRef points to a generator custom resource.
  1022. Deprecated: The generatorRef is not implemented in .data[].
  1023. this will be removed with v1.
  1024. properties:
  1025. apiVersion:
  1026. default: generators.external-secrets.io/v1alpha1
  1027. description: Specify the apiVersion of the generator resource
  1028. type: string
  1029. kind:
  1030. description: Specify the Kind of the generator resource
  1031. enum:
  1032. - ACRAccessToken
  1033. - ClusterGenerator
  1034. - ECRAuthorizationToken
  1035. - Fake
  1036. - GCRAccessToken
  1037. - GithubAccessToken
  1038. - QuayAccessToken
  1039. - Password
  1040. - SSHKey
  1041. - STSSessionToken
  1042. - UUID
  1043. - VaultDynamicSecret
  1044. - Webhook
  1045. - Grafana
  1046. type: string
  1047. name:
  1048. description: Specify the name of the generator resource
  1049. maxLength: 253
  1050. minLength: 1
  1051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1052. type: string
  1053. required:
  1054. - kind
  1055. - name
  1056. type: object
  1057. storeRef:
  1058. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1059. properties:
  1060. kind:
  1061. description: |-
  1062. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1063. Defaults to `SecretStore`
  1064. enum:
  1065. - SecretStore
  1066. - ClusterSecretStore
  1067. type: string
  1068. name:
  1069. description: Name of the SecretStore resource
  1070. maxLength: 253
  1071. minLength: 1
  1072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1073. type: string
  1074. type: object
  1075. type: object
  1076. required:
  1077. - remoteRef
  1078. - secretKey
  1079. type: object
  1080. type: array
  1081. dataFrom:
  1082. description: |-
  1083. DataFrom is used to fetch all properties from a specific Provider data
  1084. If multiple entries are specified, the Secret keys are merged in the specified order
  1085. items:
  1086. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1087. properties:
  1088. extract:
  1089. description: |-
  1090. Used to extract multiple key/value pairs from one secret
  1091. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1092. properties:
  1093. conversionStrategy:
  1094. default: Default
  1095. description: Used to define a conversion Strategy
  1096. enum:
  1097. - Default
  1098. - Unicode
  1099. type: string
  1100. decodingStrategy:
  1101. default: None
  1102. description: Used to define a decoding Strategy
  1103. enum:
  1104. - Auto
  1105. - Base64
  1106. - Base64URL
  1107. - None
  1108. type: string
  1109. key:
  1110. description: Key is the key used in the Provider, mandatory
  1111. type: string
  1112. metadataPolicy:
  1113. default: None
  1114. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1115. enum:
  1116. - None
  1117. - Fetch
  1118. type: string
  1119. property:
  1120. description: Used to select a specific property of the Provider value (if a map), if supported
  1121. type: string
  1122. version:
  1123. description: Used to select a specific version of the Provider value, if supported
  1124. type: string
  1125. required:
  1126. - key
  1127. type: object
  1128. find:
  1129. description: |-
  1130. Used to find secrets based on tags or regular expressions
  1131. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1132. properties:
  1133. conversionStrategy:
  1134. default: Default
  1135. description: Used to define a conversion Strategy
  1136. enum:
  1137. - Default
  1138. - Unicode
  1139. type: string
  1140. decodingStrategy:
  1141. default: None
  1142. description: Used to define a decoding Strategy
  1143. enum:
  1144. - Auto
  1145. - Base64
  1146. - Base64URL
  1147. - None
  1148. type: string
  1149. name:
  1150. description: Finds secrets based on the name.
  1151. properties:
  1152. regexp:
  1153. description: Finds secrets base
  1154. type: string
  1155. type: object
  1156. path:
  1157. description: A root path to start the find operations.
  1158. type: string
  1159. tags:
  1160. additionalProperties:
  1161. type: string
  1162. description: Find secrets based on tags.
  1163. type: object
  1164. type: object
  1165. rewrite:
  1166. description: |-
  1167. Used to rewrite secret Keys after getting them from the secret Provider
  1168. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1169. items:
  1170. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1171. maxProperties: 1
  1172. minProperties: 1
  1173. properties:
  1174. regexp:
  1175. description: |-
  1176. Used to rewrite with regular expressions.
  1177. The resulting key will be the output of a regexp.ReplaceAll operation.
  1178. properties:
  1179. source:
  1180. description: Used to define the regular expression of a re.Compiler.
  1181. type: string
  1182. target:
  1183. description: Used to define the target pattern of a ReplaceAll operation.
  1184. type: string
  1185. required:
  1186. - source
  1187. - target
  1188. type: object
  1189. transform:
  1190. description: |-
  1191. Used to apply string transformation on the secrets.
  1192. The resulting key will be the output of the template applied by the operation.
  1193. properties:
  1194. template:
  1195. description: |-
  1196. Used to define the template to apply on the secret name.
  1197. `.value ` will specify the secret name in the template.
  1198. type: string
  1199. required:
  1200. - template
  1201. type: object
  1202. type: object
  1203. type: array
  1204. sourceRef:
  1205. description: |-
  1206. SourceRef points to a store or generator
  1207. which contains secret values ready to use.
  1208. Use this in combination with Extract or Find pull values out of
  1209. a specific SecretStore.
  1210. When sourceRef points to a generator Extract or Find is not supported.
  1211. The generator returns a static map of values
  1212. maxProperties: 1
  1213. minProperties: 1
  1214. properties:
  1215. generatorRef:
  1216. description: GeneratorRef points to a generator custom resource.
  1217. properties:
  1218. apiVersion:
  1219. default: generators.external-secrets.io/v1alpha1
  1220. description: Specify the apiVersion of the generator resource
  1221. type: string
  1222. kind:
  1223. description: Specify the Kind of the generator resource
  1224. enum:
  1225. - ACRAccessToken
  1226. - ClusterGenerator
  1227. - ECRAuthorizationToken
  1228. - Fake
  1229. - GCRAccessToken
  1230. - GithubAccessToken
  1231. - QuayAccessToken
  1232. - Password
  1233. - SSHKey
  1234. - STSSessionToken
  1235. - UUID
  1236. - VaultDynamicSecret
  1237. - Webhook
  1238. - Grafana
  1239. type: string
  1240. name:
  1241. description: Specify the name of the generator resource
  1242. maxLength: 253
  1243. minLength: 1
  1244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1245. type: string
  1246. required:
  1247. - kind
  1248. - name
  1249. type: object
  1250. storeRef:
  1251. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1252. properties:
  1253. kind:
  1254. description: |-
  1255. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1256. Defaults to `SecretStore`
  1257. enum:
  1258. - SecretStore
  1259. - ClusterSecretStore
  1260. type: string
  1261. name:
  1262. description: Name of the SecretStore resource
  1263. maxLength: 253
  1264. minLength: 1
  1265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1266. type: string
  1267. type: object
  1268. type: object
  1269. type: object
  1270. type: array
  1271. refreshInterval:
  1272. default: 1h0m0s
  1273. description: |-
  1274. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1275. specified as Golang Duration strings.
  1276. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1277. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1278. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1279. type: string
  1280. refreshPolicy:
  1281. description: |-
  1282. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1283. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1284. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1285. No periodic updates occur if refreshInterval is 0.
  1286. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1287. enum:
  1288. - CreatedOnce
  1289. - Periodic
  1290. - OnChange
  1291. type: string
  1292. secretStoreRef:
  1293. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1294. properties:
  1295. kind:
  1296. description: |-
  1297. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1298. Defaults to `SecretStore`
  1299. enum:
  1300. - SecretStore
  1301. - ClusterSecretStore
  1302. type: string
  1303. name:
  1304. description: Name of the SecretStore resource
  1305. maxLength: 253
  1306. minLength: 1
  1307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1308. type: string
  1309. type: object
  1310. target:
  1311. default:
  1312. creationPolicy: Owner
  1313. deletionPolicy: Retain
  1314. description: |-
  1315. ExternalSecretTarget defines the Kubernetes Secret to be created
  1316. There can be only one target per ExternalSecret.
  1317. properties:
  1318. creationPolicy:
  1319. default: Owner
  1320. description: |-
  1321. CreationPolicy defines rules on how to create the resulting Secret.
  1322. Defaults to "Owner"
  1323. enum:
  1324. - Owner
  1325. - Orphan
  1326. - Merge
  1327. - None
  1328. type: string
  1329. deletionPolicy:
  1330. default: Retain
  1331. description: |-
  1332. DeletionPolicy defines rules on how to delete the resulting Secret.
  1333. Defaults to "Retain"
  1334. enum:
  1335. - Delete
  1336. - Merge
  1337. - Retain
  1338. type: string
  1339. immutable:
  1340. description: Immutable defines if the final secret will be immutable
  1341. type: boolean
  1342. name:
  1343. description: |-
  1344. The name of the Secret resource to be managed.
  1345. Defaults to the .metadata.name of the ExternalSecret resource
  1346. maxLength: 253
  1347. minLength: 1
  1348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1349. type: string
  1350. template:
  1351. description: Template defines a blueprint for the created Secret resource.
  1352. properties:
  1353. data:
  1354. additionalProperties:
  1355. type: string
  1356. type: object
  1357. engineVersion:
  1358. default: v2
  1359. description: |-
  1360. EngineVersion specifies the template engine version
  1361. that should be used to compile/execute the
  1362. template specified in .data and .templateFrom[].
  1363. enum:
  1364. - v2
  1365. type: string
  1366. mergePolicy:
  1367. default: Replace
  1368. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1369. enum:
  1370. - Replace
  1371. - Merge
  1372. type: string
  1373. metadata:
  1374. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1375. properties:
  1376. annotations:
  1377. additionalProperties:
  1378. type: string
  1379. type: object
  1380. labels:
  1381. additionalProperties:
  1382. type: string
  1383. type: object
  1384. type: object
  1385. templateFrom:
  1386. items:
  1387. description: TemplateFrom defines a source for template data.
  1388. properties:
  1389. configMap:
  1390. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1391. properties:
  1392. items:
  1393. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1394. items:
  1395. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1396. properties:
  1397. key:
  1398. description: A key in the ConfigMap/Secret
  1399. maxLength: 253
  1400. minLength: 1
  1401. pattern: ^[-._a-zA-Z0-9]+$
  1402. type: string
  1403. templateAs:
  1404. default: Values
  1405. description: TemplateScope defines the scope of the template when processing template data.
  1406. enum:
  1407. - Values
  1408. - KeysAndValues
  1409. type: string
  1410. required:
  1411. - key
  1412. type: object
  1413. type: array
  1414. name:
  1415. description: The name of the ConfigMap/Secret resource
  1416. maxLength: 253
  1417. minLength: 1
  1418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1419. type: string
  1420. required:
  1421. - items
  1422. - name
  1423. type: object
  1424. literal:
  1425. type: string
  1426. secret:
  1427. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1428. properties:
  1429. items:
  1430. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1431. items:
  1432. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1433. properties:
  1434. key:
  1435. description: A key in the ConfigMap/Secret
  1436. maxLength: 253
  1437. minLength: 1
  1438. pattern: ^[-._a-zA-Z0-9]+$
  1439. type: string
  1440. templateAs:
  1441. default: Values
  1442. description: TemplateScope defines the scope of the template when processing template data.
  1443. enum:
  1444. - Values
  1445. - KeysAndValues
  1446. type: string
  1447. required:
  1448. - key
  1449. type: object
  1450. type: array
  1451. name:
  1452. description: The name of the ConfigMap/Secret resource
  1453. maxLength: 253
  1454. minLength: 1
  1455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1456. type: string
  1457. required:
  1458. - items
  1459. - name
  1460. type: object
  1461. target:
  1462. default: Data
  1463. description: TemplateTarget defines the target field where the template result will be stored.
  1464. enum:
  1465. - Data
  1466. - Annotations
  1467. - Labels
  1468. type: string
  1469. type: object
  1470. type: array
  1471. type:
  1472. type: string
  1473. type: object
  1474. type: object
  1475. type: object
  1476. namespaceSelector:
  1477. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1478. properties:
  1479. matchExpressions:
  1480. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1481. items:
  1482. description: |-
  1483. A label selector requirement is a selector that contains values, a key, and an operator that
  1484. relates the key and values.
  1485. properties:
  1486. key:
  1487. description: key is the label key that the selector applies to.
  1488. type: string
  1489. operator:
  1490. description: |-
  1491. operator represents a key's relationship to a set of values.
  1492. Valid operators are In, NotIn, Exists and DoesNotExist.
  1493. type: string
  1494. values:
  1495. description: |-
  1496. values is an array of string values. If the operator is In or NotIn,
  1497. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1498. the values array must be empty. This array is replaced during a strategic
  1499. merge patch.
  1500. items:
  1501. type: string
  1502. type: array
  1503. x-kubernetes-list-type: atomic
  1504. required:
  1505. - key
  1506. - operator
  1507. type: object
  1508. type: array
  1509. x-kubernetes-list-type: atomic
  1510. matchLabels:
  1511. additionalProperties:
  1512. type: string
  1513. description: |-
  1514. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1515. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1516. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1517. type: object
  1518. type: object
  1519. x-kubernetes-map-type: atomic
  1520. namespaceSelectors:
  1521. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1522. items:
  1523. description: |-
  1524. A label selector is a label query over a set of resources. The result of matchLabels and
  1525. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1526. label selector matches no objects.
  1527. properties:
  1528. matchExpressions:
  1529. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1530. items:
  1531. description: |-
  1532. A label selector requirement is a selector that contains values, a key, and an operator that
  1533. relates the key and values.
  1534. properties:
  1535. key:
  1536. description: key is the label key that the selector applies to.
  1537. type: string
  1538. operator:
  1539. description: |-
  1540. operator represents a key's relationship to a set of values.
  1541. Valid operators are In, NotIn, Exists and DoesNotExist.
  1542. type: string
  1543. values:
  1544. description: |-
  1545. values is an array of string values. If the operator is In or NotIn,
  1546. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1547. the values array must be empty. This array is replaced during a strategic
  1548. merge patch.
  1549. items:
  1550. type: string
  1551. type: array
  1552. x-kubernetes-list-type: atomic
  1553. required:
  1554. - key
  1555. - operator
  1556. type: object
  1557. type: array
  1558. x-kubernetes-list-type: atomic
  1559. matchLabels:
  1560. additionalProperties:
  1561. type: string
  1562. description: |-
  1563. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1564. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1565. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1566. type: object
  1567. type: object
  1568. x-kubernetes-map-type: atomic
  1569. type: array
  1570. namespaces:
  1571. description: |-
  1572. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1573. Deprecated: Use NamespaceSelectors instead.
  1574. items:
  1575. maxLength: 63
  1576. minLength: 1
  1577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1578. type: string
  1579. type: array
  1580. refreshTime:
  1581. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1582. type: string
  1583. required:
  1584. - externalSecretSpec
  1585. type: object
  1586. status:
  1587. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1588. properties:
  1589. conditions:
  1590. items:
  1591. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1592. properties:
  1593. message:
  1594. type: string
  1595. status:
  1596. type: string
  1597. type:
  1598. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1599. type: string
  1600. required:
  1601. - status
  1602. - type
  1603. type: object
  1604. type: array
  1605. externalSecretName:
  1606. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1607. type: string
  1608. failedNamespaces:
  1609. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1610. items:
  1611. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1612. properties:
  1613. namespace:
  1614. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1615. type: string
  1616. reason:
  1617. description: Reason is why the ExternalSecret failed to apply to the namespace
  1618. type: string
  1619. required:
  1620. - namespace
  1621. type: object
  1622. type: array
  1623. provisionedNamespaces:
  1624. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1625. items:
  1626. type: string
  1627. type: array
  1628. type: object
  1629. type: object
  1630. served: false
  1631. storage: false
  1632. subresources:
  1633. status: {}
  1634. ---
  1635. apiVersion: apiextensions.k8s.io/v1
  1636. kind: CustomResourceDefinition
  1637. metadata:
  1638. annotations:
  1639. controller-gen.kubebuilder.io/version: v0.19.0
  1640. labels:
  1641. external-secrets.io/component: controller
  1642. name: clusterpushsecrets.external-secrets.io
  1643. spec:
  1644. group: external-secrets.io
  1645. names:
  1646. categories:
  1647. - external-secrets
  1648. kind: ClusterPushSecret
  1649. listKind: ClusterPushSecretList
  1650. plural: clusterpushsecrets
  1651. singular: clusterpushsecret
  1652. scope: Cluster
  1653. versions:
  1654. - additionalPrinterColumns:
  1655. - jsonPath: .metadata.creationTimestamp
  1656. name: AGE
  1657. type: date
  1658. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1659. name: Status
  1660. type: string
  1661. name: v1alpha1
  1662. schema:
  1663. openAPIV3Schema:
  1664. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1665. properties:
  1666. apiVersion:
  1667. description: |-
  1668. APIVersion defines the versioned schema of this representation of an object.
  1669. Servers should convert recognized schemas to the latest internal value, and
  1670. may reject unrecognized values.
  1671. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1672. type: string
  1673. kind:
  1674. description: |-
  1675. Kind is a string value representing the REST resource this object represents.
  1676. Servers may infer this from the endpoint the client submits requests to.
  1677. Cannot be updated.
  1678. In CamelCase.
  1679. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1680. type: string
  1681. metadata:
  1682. type: object
  1683. spec:
  1684. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1685. properties:
  1686. namespaceSelectors:
  1687. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1688. items:
  1689. description: |-
  1690. A label selector is a label query over a set of resources. The result of matchLabels and
  1691. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1692. label selector matches no objects.
  1693. properties:
  1694. matchExpressions:
  1695. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1696. items:
  1697. description: |-
  1698. A label selector requirement is a selector that contains values, a key, and an operator that
  1699. relates the key and values.
  1700. properties:
  1701. key:
  1702. description: key is the label key that the selector applies to.
  1703. type: string
  1704. operator:
  1705. description: |-
  1706. operator represents a key's relationship to a set of values.
  1707. Valid operators are In, NotIn, Exists and DoesNotExist.
  1708. type: string
  1709. values:
  1710. description: |-
  1711. values is an array of string values. If the operator is In or NotIn,
  1712. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1713. the values array must be empty. This array is replaced during a strategic
  1714. merge patch.
  1715. items:
  1716. type: string
  1717. type: array
  1718. x-kubernetes-list-type: atomic
  1719. required:
  1720. - key
  1721. - operator
  1722. type: object
  1723. type: array
  1724. x-kubernetes-list-type: atomic
  1725. matchLabels:
  1726. additionalProperties:
  1727. type: string
  1728. description: |-
  1729. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1730. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1731. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1732. type: object
  1733. type: object
  1734. x-kubernetes-map-type: atomic
  1735. type: array
  1736. pushSecretMetadata:
  1737. description: The metadata of the external secrets to be created
  1738. properties:
  1739. annotations:
  1740. additionalProperties:
  1741. type: string
  1742. type: object
  1743. labels:
  1744. additionalProperties:
  1745. type: string
  1746. type: object
  1747. type: object
  1748. pushSecretName:
  1749. description: |-
  1750. The name of the push secrets to be created.
  1751. Defaults to the name of the ClusterPushSecret
  1752. maxLength: 253
  1753. minLength: 1
  1754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1755. type: string
  1756. pushSecretSpec:
  1757. description: PushSecretSpec defines what to do with the secrets.
  1758. properties:
  1759. data:
  1760. description: Secret Data that should be pushed to providers
  1761. items:
  1762. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1763. properties:
  1764. conversionStrategy:
  1765. default: None
  1766. description: Used to define a conversion Strategy for the secret keys
  1767. enum:
  1768. - None
  1769. - ReverseUnicode
  1770. type: string
  1771. match:
  1772. description: Match a given Secret Key to be pushed to the provider.
  1773. properties:
  1774. remoteRef:
  1775. description: Remote Refs to push to providers.
  1776. properties:
  1777. property:
  1778. description: Name of the property in the resulting secret
  1779. type: string
  1780. remoteKey:
  1781. description: Name of the resulting provider secret.
  1782. type: string
  1783. required:
  1784. - remoteKey
  1785. type: object
  1786. secretKey:
  1787. description: Secret Key to be pushed
  1788. type: string
  1789. required:
  1790. - remoteRef
  1791. type: object
  1792. metadata:
  1793. description: |-
  1794. Metadata is metadata attached to the secret.
  1795. The structure of metadata is provider specific, please look it up in the provider documentation.
  1796. x-kubernetes-preserve-unknown-fields: true
  1797. required:
  1798. - match
  1799. type: object
  1800. type: array
  1801. dataTo:
  1802. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1803. items:
  1804. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1805. properties:
  1806. conversionStrategy:
  1807. default: None
  1808. description: Used to define a conversion Strategy for the secret keys
  1809. enum:
  1810. - None
  1811. - ReverseUnicode
  1812. type: string
  1813. match:
  1814. description: |-
  1815. Match pattern for selecting keys from the source Secret.
  1816. If not specified, all keys are selected.
  1817. properties:
  1818. regexp:
  1819. description: |-
  1820. Regexp matches keys by regular expression.
  1821. If not specified, all keys are matched.
  1822. type: string
  1823. type: object
  1824. metadata:
  1825. description: |-
  1826. Metadata is metadata attached to the secret.
  1827. The structure of metadata is provider specific, please look it up in the provider documentation.
  1828. x-kubernetes-preserve-unknown-fields: true
  1829. remoteKey:
  1830. description: |-
  1831. RemoteKey is the name of the single provider secret that will receive ALL
  1832. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1833. When set, per-key expansion is skipped and a single push is performed.
  1834. The provider's store prefix (if any) is still prepended to this value.
  1835. When not set, each matched key is pushed as its own individual provider secret.
  1836. type: string
  1837. rewrite:
  1838. description: |-
  1839. Rewrite operations to transform keys before pushing to the provider.
  1840. Operations are applied sequentially.
  1841. items:
  1842. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1843. properties:
  1844. regexp:
  1845. description: Used to rewrite with regular expressions.
  1846. properties:
  1847. source:
  1848. description: Used to define the regular expression of a re.Compiler.
  1849. type: string
  1850. target:
  1851. description: Used to define the target pattern of a ReplaceAll operation.
  1852. type: string
  1853. required:
  1854. - source
  1855. - target
  1856. type: object
  1857. transform:
  1858. description: Used to apply string transformation on the secrets.
  1859. properties:
  1860. template:
  1861. description: |-
  1862. Used to define the template to apply on the secret name.
  1863. `.value ` will specify the secret name in the template.
  1864. type: string
  1865. required:
  1866. - template
  1867. type: object
  1868. type: object
  1869. x-kubernetes-validations:
  1870. - message: exactly one of regexp or transform must be set
  1871. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1872. type: array
  1873. storeRef:
  1874. description: StoreRef specifies which SecretStore to push to. Required.
  1875. properties:
  1876. kind:
  1877. default: SecretStore
  1878. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1879. enum:
  1880. - SecretStore
  1881. - ClusterSecretStore
  1882. type: string
  1883. labelSelector:
  1884. description: Optionally, sync to secret stores with label selector
  1885. properties:
  1886. matchExpressions:
  1887. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1888. items:
  1889. description: |-
  1890. A label selector requirement is a selector that contains values, a key, and an operator that
  1891. relates the key and values.
  1892. properties:
  1893. key:
  1894. description: key is the label key that the selector applies to.
  1895. type: string
  1896. operator:
  1897. description: |-
  1898. operator represents a key's relationship to a set of values.
  1899. Valid operators are In, NotIn, Exists and DoesNotExist.
  1900. type: string
  1901. values:
  1902. description: |-
  1903. values is an array of string values. If the operator is In or NotIn,
  1904. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1905. the values array must be empty. This array is replaced during a strategic
  1906. merge patch.
  1907. items:
  1908. type: string
  1909. type: array
  1910. x-kubernetes-list-type: atomic
  1911. required:
  1912. - key
  1913. - operator
  1914. type: object
  1915. type: array
  1916. x-kubernetes-list-type: atomic
  1917. matchLabels:
  1918. additionalProperties:
  1919. type: string
  1920. description: |-
  1921. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1922. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1923. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1924. type: object
  1925. type: object
  1926. x-kubernetes-map-type: atomic
  1927. name:
  1928. description: Optionally, sync to the SecretStore of the given name
  1929. maxLength: 253
  1930. minLength: 1
  1931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1932. type: string
  1933. type: object
  1934. type: object
  1935. x-kubernetes-validations:
  1936. - message: storeRef must specify either name or labelSelector
  1937. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1938. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1939. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1940. type: array
  1941. deletionPolicy:
  1942. default: None
  1943. description: Deletion Policy to handle Secrets in the provider.
  1944. enum:
  1945. - Delete
  1946. - None
  1947. type: string
  1948. refreshInterval:
  1949. default: 1h0m0s
  1950. description: The Interval to which External Secrets will try to push a secret definition
  1951. type: string
  1952. secretStoreRefs:
  1953. items:
  1954. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1955. properties:
  1956. kind:
  1957. default: SecretStore
  1958. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1959. enum:
  1960. - SecretStore
  1961. - ClusterSecretStore
  1962. type: string
  1963. labelSelector:
  1964. description: Optionally, sync to secret stores with label selector
  1965. properties:
  1966. matchExpressions:
  1967. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1968. items:
  1969. description: |-
  1970. A label selector requirement is a selector that contains values, a key, and an operator that
  1971. relates the key and values.
  1972. properties:
  1973. key:
  1974. description: key is the label key that the selector applies to.
  1975. type: string
  1976. operator:
  1977. description: |-
  1978. operator represents a key's relationship to a set of values.
  1979. Valid operators are In, NotIn, Exists and DoesNotExist.
  1980. type: string
  1981. values:
  1982. description: |-
  1983. values is an array of string values. If the operator is In or NotIn,
  1984. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1985. the values array must be empty. This array is replaced during a strategic
  1986. merge patch.
  1987. items:
  1988. type: string
  1989. type: array
  1990. x-kubernetes-list-type: atomic
  1991. required:
  1992. - key
  1993. - operator
  1994. type: object
  1995. type: array
  1996. x-kubernetes-list-type: atomic
  1997. matchLabels:
  1998. additionalProperties:
  1999. type: string
  2000. description: |-
  2001. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2002. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2003. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2004. type: object
  2005. type: object
  2006. x-kubernetes-map-type: atomic
  2007. name:
  2008. description: Optionally, sync to the SecretStore of the given name
  2009. maxLength: 253
  2010. minLength: 1
  2011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2012. type: string
  2013. type: object
  2014. type: array
  2015. selector:
  2016. description: The Secret Selector (k8s source) for the Push Secret
  2017. maxProperties: 1
  2018. minProperties: 1
  2019. properties:
  2020. generatorRef:
  2021. description: Point to a generator to create a Secret.
  2022. properties:
  2023. apiVersion:
  2024. default: generators.external-secrets.io/v1alpha1
  2025. description: Specify the apiVersion of the generator resource
  2026. type: string
  2027. kind:
  2028. description: Specify the Kind of the generator resource
  2029. enum:
  2030. - ACRAccessToken
  2031. - BeyondtrustWorkloadCredentialsDynamicSecret
  2032. - ClusterGenerator
  2033. - CloudsmithAccessToken
  2034. - ECRAuthorizationToken
  2035. - Fake
  2036. - GCRAccessToken
  2037. - GithubAccessToken
  2038. - GitlabDeployToken
  2039. - QuayAccessToken
  2040. - Password
  2041. - SSHKey
  2042. - STSSessionToken
  2043. - UUID
  2044. - VaultDynamicSecret
  2045. - Webhook
  2046. - Grafana
  2047. - MFA
  2048. type: string
  2049. name:
  2050. description: Specify the name of the generator resource
  2051. maxLength: 253
  2052. minLength: 1
  2053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2054. type: string
  2055. required:
  2056. - kind
  2057. - name
  2058. type: object
  2059. secret:
  2060. description: Select a Secret to Push.
  2061. properties:
  2062. name:
  2063. description: |-
  2064. Name of the Secret.
  2065. The Secret must exist in the same namespace as the PushSecret manifest.
  2066. maxLength: 253
  2067. minLength: 1
  2068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2069. type: string
  2070. selector:
  2071. description: Selector chooses secrets using a labelSelector.
  2072. properties:
  2073. matchExpressions:
  2074. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2075. items:
  2076. description: |-
  2077. A label selector requirement is a selector that contains values, a key, and an operator that
  2078. relates the key and values.
  2079. properties:
  2080. key:
  2081. description: key is the label key that the selector applies to.
  2082. type: string
  2083. operator:
  2084. description: |-
  2085. operator represents a key's relationship to a set of values.
  2086. Valid operators are In, NotIn, Exists and DoesNotExist.
  2087. type: string
  2088. values:
  2089. description: |-
  2090. values is an array of string values. If the operator is In or NotIn,
  2091. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2092. the values array must be empty. This array is replaced during a strategic
  2093. merge patch.
  2094. items:
  2095. type: string
  2096. type: array
  2097. x-kubernetes-list-type: atomic
  2098. required:
  2099. - key
  2100. - operator
  2101. type: object
  2102. type: array
  2103. x-kubernetes-list-type: atomic
  2104. matchLabels:
  2105. additionalProperties:
  2106. type: string
  2107. description: |-
  2108. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2109. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2110. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2111. type: object
  2112. type: object
  2113. x-kubernetes-map-type: atomic
  2114. type: object
  2115. type: object
  2116. template:
  2117. description: Template defines a blueprint for the created Secret resource.
  2118. properties:
  2119. data:
  2120. additionalProperties:
  2121. type: string
  2122. type: object
  2123. engineVersion:
  2124. default: v2
  2125. description: |-
  2126. EngineVersion specifies the template engine version
  2127. that should be used to compile/execute the
  2128. template specified in .data and .templateFrom[].
  2129. enum:
  2130. - v2
  2131. type: string
  2132. mergePolicy:
  2133. default: Replace
  2134. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2135. enum:
  2136. - Replace
  2137. - Merge
  2138. type: string
  2139. metadata:
  2140. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2141. properties:
  2142. annotations:
  2143. additionalProperties:
  2144. type: string
  2145. type: object
  2146. finalizers:
  2147. items:
  2148. type: string
  2149. type: array
  2150. labels:
  2151. additionalProperties:
  2152. type: string
  2153. type: object
  2154. type: object
  2155. templateFrom:
  2156. items:
  2157. description: |-
  2158. TemplateFrom specifies a source for templates.
  2159. Each item in the list can either reference a ConfigMap or a Secret resource.
  2160. properties:
  2161. configMap:
  2162. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2163. properties:
  2164. items:
  2165. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2166. items:
  2167. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2168. properties:
  2169. key:
  2170. description: A key in the ConfigMap/Secret
  2171. maxLength: 253
  2172. minLength: 1
  2173. pattern: ^[-._a-zA-Z0-9]+$
  2174. type: string
  2175. templateAs:
  2176. default: Values
  2177. description: TemplateScope specifies how the template keys should be interpreted.
  2178. enum:
  2179. - Values
  2180. - KeysAndValues
  2181. type: string
  2182. required:
  2183. - key
  2184. type: object
  2185. type: array
  2186. name:
  2187. description: The name of the ConfigMap/Secret resource
  2188. maxLength: 253
  2189. minLength: 1
  2190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2191. type: string
  2192. required:
  2193. - items
  2194. - name
  2195. type: object
  2196. literal:
  2197. type: string
  2198. secret:
  2199. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2200. properties:
  2201. items:
  2202. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2203. items:
  2204. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2205. properties:
  2206. key:
  2207. description: A key in the ConfigMap/Secret
  2208. maxLength: 253
  2209. minLength: 1
  2210. pattern: ^[-._a-zA-Z0-9]+$
  2211. type: string
  2212. templateAs:
  2213. default: Values
  2214. description: TemplateScope specifies how the template keys should be interpreted.
  2215. enum:
  2216. - Values
  2217. - KeysAndValues
  2218. type: string
  2219. required:
  2220. - key
  2221. type: object
  2222. type: array
  2223. name:
  2224. description: The name of the ConfigMap/Secret resource
  2225. maxLength: 253
  2226. minLength: 1
  2227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2228. type: string
  2229. required:
  2230. - items
  2231. - name
  2232. type: object
  2233. target:
  2234. default: Data
  2235. description: |-
  2236. Target specifies where to place the template result.
  2237. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2238. For custom resources (when spec.target.manifest is set), this supports
  2239. nested paths like "spec.database.config" or "data".
  2240. type: string
  2241. valuesDecodingStrategy:
  2242. default: None
  2243. description: Used to define a decoding Strategy for the rendered template values.
  2244. enum:
  2245. - Auto
  2246. - Base64
  2247. - Base64URL
  2248. - None
  2249. type: string
  2250. type: object
  2251. type: array
  2252. type:
  2253. type: string
  2254. type: object
  2255. updatePolicy:
  2256. default: Replace
  2257. description: UpdatePolicy to handle Secrets in the provider.
  2258. enum:
  2259. - Replace
  2260. - IfNotExists
  2261. type: string
  2262. required:
  2263. - secretStoreRefs
  2264. - selector
  2265. type: object
  2266. refreshTime:
  2267. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2268. type: string
  2269. required:
  2270. - pushSecretSpec
  2271. type: object
  2272. status:
  2273. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2274. properties:
  2275. conditions:
  2276. items:
  2277. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2278. properties:
  2279. lastTransitionTime:
  2280. format: date-time
  2281. type: string
  2282. message:
  2283. type: string
  2284. reason:
  2285. type: string
  2286. status:
  2287. type: string
  2288. type:
  2289. description: PushSecretConditionType indicates the condition of the PushSecret.
  2290. type: string
  2291. required:
  2292. - status
  2293. - type
  2294. type: object
  2295. type: array
  2296. failedNamespaces:
  2297. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2298. items:
  2299. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2300. properties:
  2301. namespace:
  2302. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2303. type: string
  2304. reason:
  2305. description: Reason is why the PushSecret failed to apply to the namespace
  2306. type: string
  2307. required:
  2308. - namespace
  2309. type: object
  2310. type: array
  2311. provisionedNamespaces:
  2312. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2313. items:
  2314. type: string
  2315. type: array
  2316. pushSecretName:
  2317. type: string
  2318. type: object
  2319. type: object
  2320. served: true
  2321. storage: true
  2322. subresources:
  2323. status: {}
  2324. ---
  2325. apiVersion: apiextensions.k8s.io/v1
  2326. kind: CustomResourceDefinition
  2327. metadata:
  2328. annotations:
  2329. controller-gen.kubebuilder.io/version: v0.19.0
  2330. labels:
  2331. external-secrets.io/component: controller
  2332. name: clustersecretstores.external-secrets.io
  2333. spec:
  2334. group: external-secrets.io
  2335. names:
  2336. categories:
  2337. - external-secrets
  2338. kind: ClusterSecretStore
  2339. listKind: ClusterSecretStoreList
  2340. plural: clustersecretstores
  2341. shortNames:
  2342. - css
  2343. singular: clustersecretstore
  2344. scope: Cluster
  2345. versions:
  2346. - additionalPrinterColumns:
  2347. - jsonPath: .metadata.creationTimestamp
  2348. name: AGE
  2349. type: date
  2350. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2351. name: Status
  2352. type: string
  2353. - jsonPath: .status.capabilities
  2354. name: Capabilities
  2355. type: string
  2356. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2357. name: Ready
  2358. type: string
  2359. name: v1
  2360. schema:
  2361. openAPIV3Schema:
  2362. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2363. properties:
  2364. apiVersion:
  2365. description: |-
  2366. APIVersion defines the versioned schema of this representation of an object.
  2367. Servers should convert recognized schemas to the latest internal value, and
  2368. may reject unrecognized values.
  2369. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2370. type: string
  2371. kind:
  2372. description: |-
  2373. Kind is a string value representing the REST resource this object represents.
  2374. Servers may infer this from the endpoint the client submits requests to.
  2375. Cannot be updated.
  2376. In CamelCase.
  2377. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2378. type: string
  2379. metadata:
  2380. type: object
  2381. spec:
  2382. description: SecretStoreSpec defines the desired state of SecretStore.
  2383. properties:
  2384. conditions:
  2385. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2386. items:
  2387. description: |-
  2388. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2389. for a ClusterSecretStore instance.
  2390. properties:
  2391. namespaceRegexes:
  2392. description: Choose namespaces by using regex matching
  2393. items:
  2394. type: string
  2395. type: array
  2396. namespaceSelector:
  2397. description: Choose namespace using a labelSelector
  2398. properties:
  2399. matchExpressions:
  2400. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2401. items:
  2402. description: |-
  2403. A label selector requirement is a selector that contains values, a key, and an operator that
  2404. relates the key and values.
  2405. properties:
  2406. key:
  2407. description: key is the label key that the selector applies to.
  2408. type: string
  2409. operator:
  2410. description: |-
  2411. operator represents a key's relationship to a set of values.
  2412. Valid operators are In, NotIn, Exists and DoesNotExist.
  2413. type: string
  2414. values:
  2415. description: |-
  2416. values is an array of string values. If the operator is In or NotIn,
  2417. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2418. the values array must be empty. This array is replaced during a strategic
  2419. merge patch.
  2420. items:
  2421. type: string
  2422. type: array
  2423. x-kubernetes-list-type: atomic
  2424. required:
  2425. - key
  2426. - operator
  2427. type: object
  2428. type: array
  2429. x-kubernetes-list-type: atomic
  2430. matchLabels:
  2431. additionalProperties:
  2432. type: string
  2433. description: |-
  2434. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2435. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2436. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2437. type: object
  2438. type: object
  2439. x-kubernetes-map-type: atomic
  2440. namespaces:
  2441. description: Choose namespaces by name
  2442. items:
  2443. maxLength: 63
  2444. minLength: 1
  2445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2446. type: string
  2447. type: array
  2448. type: object
  2449. type: array
  2450. controller:
  2451. description: |-
  2452. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2453. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2454. type: string
  2455. provider:
  2456. description: Used to configure the provider. Only one provider may be set
  2457. maxProperties: 1
  2458. minProperties: 1
  2459. properties:
  2460. akeyless:
  2461. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2462. properties:
  2463. akeylessGWApiURL:
  2464. description: Akeyless GW API Url from which the secrets to be fetched from.
  2465. type: string
  2466. authSecretRef:
  2467. description: Auth configures how the operator authenticates with Akeyless.
  2468. properties:
  2469. kubernetesAuth:
  2470. description: |-
  2471. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2472. token stored in the named Secret resource.
  2473. properties:
  2474. accessID:
  2475. description: the Akeyless Kubernetes auth-method access-id
  2476. type: string
  2477. k8sConfName:
  2478. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2479. type: string
  2480. secretRef:
  2481. description: |-
  2482. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2483. for authenticating with Akeyless. If a name is specified without a key,
  2484. `token` is the default. If one is not specified, the one bound to
  2485. the controller will be used.
  2486. properties:
  2487. key:
  2488. description: |-
  2489. A key in the referenced Secret.
  2490. Some instances of this field may be defaulted, in others it may be required.
  2491. maxLength: 253
  2492. minLength: 1
  2493. pattern: ^[-._a-zA-Z0-9]+$
  2494. type: string
  2495. name:
  2496. description: The name of the Secret resource being referred to.
  2497. maxLength: 253
  2498. minLength: 1
  2499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2500. type: string
  2501. namespace:
  2502. description: |-
  2503. The namespace of the Secret resource being referred to.
  2504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2505. maxLength: 63
  2506. minLength: 1
  2507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2508. type: string
  2509. type: object
  2510. serviceAccountRef:
  2511. description: |-
  2512. Optional service account field containing the name of a kubernetes ServiceAccount.
  2513. If the service account is specified, the service account secret token JWT will be used
  2514. for authenticating with Akeyless. If the service account selector is not supplied,
  2515. the secretRef will be used instead.
  2516. properties:
  2517. audiences:
  2518. description: |-
  2519. Audience specifies the `aud` claim for the service account token
  2520. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2521. then this audiences will be appended to the list
  2522. items:
  2523. type: string
  2524. type: array
  2525. name:
  2526. description: The name of the ServiceAccount resource being referred to.
  2527. maxLength: 253
  2528. minLength: 1
  2529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2530. type: string
  2531. namespace:
  2532. description: |-
  2533. Namespace of the resource being referred to.
  2534. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2535. maxLength: 63
  2536. minLength: 1
  2537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2538. type: string
  2539. required:
  2540. - name
  2541. type: object
  2542. required:
  2543. - accessID
  2544. - k8sConfName
  2545. type: object
  2546. secretRef:
  2547. description: |-
  2548. Reference to a Secret that contains the details
  2549. to authenticate with Akeyless.
  2550. properties:
  2551. accessID:
  2552. description: The SecretAccessID is used for authentication
  2553. properties:
  2554. key:
  2555. description: |-
  2556. A key in the referenced Secret.
  2557. Some instances of this field may be defaulted, in others it may be required.
  2558. maxLength: 253
  2559. minLength: 1
  2560. pattern: ^[-._a-zA-Z0-9]+$
  2561. type: string
  2562. name:
  2563. description: The name of the Secret resource being referred to.
  2564. maxLength: 253
  2565. minLength: 1
  2566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2567. type: string
  2568. namespace:
  2569. description: |-
  2570. The namespace of the Secret resource being referred to.
  2571. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2572. maxLength: 63
  2573. minLength: 1
  2574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2575. type: string
  2576. type: object
  2577. accessType:
  2578. description: |-
  2579. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2580. In some instances, `key` is a required field.
  2581. properties:
  2582. key:
  2583. description: |-
  2584. A key in the referenced Secret.
  2585. Some instances of this field may be defaulted, in others it may be required.
  2586. maxLength: 253
  2587. minLength: 1
  2588. pattern: ^[-._a-zA-Z0-9]+$
  2589. type: string
  2590. name:
  2591. description: The name of the Secret resource being referred to.
  2592. maxLength: 253
  2593. minLength: 1
  2594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2595. type: string
  2596. namespace:
  2597. description: |-
  2598. The namespace of the Secret resource being referred to.
  2599. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2600. maxLength: 63
  2601. minLength: 1
  2602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2603. type: string
  2604. type: object
  2605. accessTypeParam:
  2606. description: |-
  2607. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2608. In some instances, `key` is a required field.
  2609. properties:
  2610. key:
  2611. description: |-
  2612. A key in the referenced Secret.
  2613. Some instances of this field may be defaulted, in others it may be required.
  2614. maxLength: 253
  2615. minLength: 1
  2616. pattern: ^[-._a-zA-Z0-9]+$
  2617. type: string
  2618. name:
  2619. description: The name of the Secret resource being referred to.
  2620. maxLength: 253
  2621. minLength: 1
  2622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2623. type: string
  2624. namespace:
  2625. description: |-
  2626. The namespace of the Secret resource being referred to.
  2627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2628. maxLength: 63
  2629. minLength: 1
  2630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2631. type: string
  2632. type: object
  2633. type: object
  2634. type: object
  2635. caBundle:
  2636. description: |-
  2637. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2638. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2639. are used to validate the TLS connection.
  2640. format: byte
  2641. type: string
  2642. caProvider:
  2643. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2644. properties:
  2645. key:
  2646. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2647. maxLength: 253
  2648. minLength: 1
  2649. pattern: ^[-._a-zA-Z0-9]+$
  2650. type: string
  2651. name:
  2652. description: The name of the object located at the provider type.
  2653. maxLength: 253
  2654. minLength: 1
  2655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2656. type: string
  2657. namespace:
  2658. description: |-
  2659. The namespace the Provider type is in.
  2660. Can only be defined when used in a ClusterSecretStore.
  2661. maxLength: 63
  2662. minLength: 1
  2663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2664. type: string
  2665. type:
  2666. description: The type of provider to use such as "Secret", or "ConfigMap".
  2667. enum:
  2668. - Secret
  2669. - ConfigMap
  2670. type: string
  2671. required:
  2672. - name
  2673. - type
  2674. type: object
  2675. required:
  2676. - akeylessGWApiURL
  2677. - authSecretRef
  2678. type: object
  2679. aws:
  2680. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2681. properties:
  2682. additionalRoles:
  2683. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2684. items:
  2685. type: string
  2686. type: array
  2687. auth:
  2688. description: |-
  2689. Auth defines the information necessary to authenticate against AWS
  2690. if not set aws sdk will infer credentials from your environment
  2691. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2692. properties:
  2693. jwt:
  2694. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2695. properties:
  2696. serviceAccountRef:
  2697. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2698. properties:
  2699. audiences:
  2700. description: |-
  2701. Audience specifies the `aud` claim for the service account token
  2702. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2703. then this audiences will be appended to the list
  2704. items:
  2705. type: string
  2706. type: array
  2707. name:
  2708. description: The name of the ServiceAccount resource being referred to.
  2709. maxLength: 253
  2710. minLength: 1
  2711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2712. type: string
  2713. namespace:
  2714. description: |-
  2715. Namespace of the resource being referred to.
  2716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2717. maxLength: 63
  2718. minLength: 1
  2719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2720. type: string
  2721. required:
  2722. - name
  2723. type: object
  2724. type: object
  2725. secretRef:
  2726. description: |-
  2727. AWSAuthSecretRef holds secret references for AWS credentials
  2728. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2729. properties:
  2730. accessKeyIDSecretRef:
  2731. description: The AccessKeyID is used for authentication
  2732. properties:
  2733. key:
  2734. description: |-
  2735. A key in the referenced Secret.
  2736. Some instances of this field may be defaulted, in others it may be required.
  2737. maxLength: 253
  2738. minLength: 1
  2739. pattern: ^[-._a-zA-Z0-9]+$
  2740. type: string
  2741. name:
  2742. description: The name of the Secret resource being referred to.
  2743. maxLength: 253
  2744. minLength: 1
  2745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2746. type: string
  2747. namespace:
  2748. description: |-
  2749. The namespace of the Secret resource being referred to.
  2750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2751. maxLength: 63
  2752. minLength: 1
  2753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2754. type: string
  2755. type: object
  2756. secretAccessKeySecretRef:
  2757. description: The SecretAccessKey is used for authentication
  2758. properties:
  2759. key:
  2760. description: |-
  2761. A key in the referenced Secret.
  2762. Some instances of this field may be defaulted, in others it may be required.
  2763. maxLength: 253
  2764. minLength: 1
  2765. pattern: ^[-._a-zA-Z0-9]+$
  2766. type: string
  2767. name:
  2768. description: The name of the Secret resource being referred to.
  2769. maxLength: 253
  2770. minLength: 1
  2771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2772. type: string
  2773. namespace:
  2774. description: |-
  2775. The namespace of the Secret resource being referred to.
  2776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2777. maxLength: 63
  2778. minLength: 1
  2779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2780. type: string
  2781. type: object
  2782. sessionTokenSecretRef:
  2783. description: |-
  2784. The SessionToken used for authentication
  2785. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2786. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2787. properties:
  2788. key:
  2789. description: |-
  2790. A key in the referenced Secret.
  2791. Some instances of this field may be defaulted, in others it may be required.
  2792. maxLength: 253
  2793. minLength: 1
  2794. pattern: ^[-._a-zA-Z0-9]+$
  2795. type: string
  2796. name:
  2797. description: The name of the Secret resource being referred to.
  2798. maxLength: 253
  2799. minLength: 1
  2800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2801. type: string
  2802. namespace:
  2803. description: |-
  2804. The namespace of the Secret resource being referred to.
  2805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2806. maxLength: 63
  2807. minLength: 1
  2808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2809. type: string
  2810. type: object
  2811. type: object
  2812. type: object
  2813. customSessionTags:
  2814. additionalProperties:
  2815. type: string
  2816. description: |-
  2817. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2818. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2819. type: object
  2820. x-kubernetes-validations:
  2821. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2822. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2823. externalID:
  2824. description: AWS External ID set on assumed IAM roles
  2825. type: string
  2826. prefix:
  2827. description: Prefix adds a prefix to all retrieved values.
  2828. type: string
  2829. region:
  2830. description: AWS Region to be used for the provider
  2831. type: string
  2832. role:
  2833. description: Role is a Role ARN which the provider will assume
  2834. type: string
  2835. secretsManager:
  2836. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2837. properties:
  2838. forceDeleteWithoutRecovery:
  2839. description: |-
  2840. Specifies whether to delete the secret without any recovery window. You
  2841. can't use both this parameter and RecoveryWindowInDays in the same call.
  2842. If you don't use either, then by default Secrets Manager uses a 30 day
  2843. recovery window.
  2844. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2845. type: boolean
  2846. recoveryWindowInDays:
  2847. description: |-
  2848. The number of days from 7 to 30 that Secrets Manager waits before
  2849. permanently deleting the secret. You can't use both this parameter and
  2850. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2851. then by default Secrets Manager uses a 30-day recovery window.
  2852. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2853. format: int64
  2854. type: integer
  2855. type: object
  2856. service:
  2857. description: Service defines which service should be used to fetch the secrets
  2858. enum:
  2859. - SecretsManager
  2860. - ParameterStore
  2861. type: string
  2862. sessionTags:
  2863. description: AWS STS assume role session tags
  2864. items:
  2865. description: |-
  2866. Tag is a key-value pair that can be attached to an AWS resource.
  2867. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2868. properties:
  2869. key:
  2870. type: string
  2871. value:
  2872. type: string
  2873. required:
  2874. - key
  2875. - value
  2876. type: object
  2877. type: array
  2878. sessionTagsPolicy:
  2879. default: None
  2880. description: |-
  2881. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2882. None (default): no tags are added.
  2883. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2884. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2885. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2886. enum:
  2887. - None
  2888. - Simple
  2889. - Custom
  2890. type: string
  2891. transitiveTagKeys:
  2892. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2893. items:
  2894. type: string
  2895. type: array
  2896. required:
  2897. - region
  2898. - service
  2899. type: object
  2900. azurekv:
  2901. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2902. properties:
  2903. authSecretRef:
  2904. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2905. properties:
  2906. clientCertificate:
  2907. description: The Azure ClientCertificate of the service principle used for authentication.
  2908. properties:
  2909. key:
  2910. description: |-
  2911. A key in the referenced Secret.
  2912. Some instances of this field may be defaulted, in others it may be required.
  2913. maxLength: 253
  2914. minLength: 1
  2915. pattern: ^[-._a-zA-Z0-9]+$
  2916. type: string
  2917. name:
  2918. description: The name of the Secret resource being referred to.
  2919. maxLength: 253
  2920. minLength: 1
  2921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2922. type: string
  2923. namespace:
  2924. description: |-
  2925. The namespace of the Secret resource being referred to.
  2926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2927. maxLength: 63
  2928. minLength: 1
  2929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2930. type: string
  2931. type: object
  2932. clientId:
  2933. description: The Azure clientId of the service principle or managed identity used for authentication.
  2934. properties:
  2935. key:
  2936. description: |-
  2937. A key in the referenced Secret.
  2938. Some instances of this field may be defaulted, in others it may be required.
  2939. maxLength: 253
  2940. minLength: 1
  2941. pattern: ^[-._a-zA-Z0-9]+$
  2942. type: string
  2943. name:
  2944. description: The name of the Secret resource being referred to.
  2945. maxLength: 253
  2946. minLength: 1
  2947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2948. type: string
  2949. namespace:
  2950. description: |-
  2951. The namespace of the Secret resource being referred to.
  2952. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2953. maxLength: 63
  2954. minLength: 1
  2955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2956. type: string
  2957. type: object
  2958. clientSecret:
  2959. description: The Azure ClientSecret of the service principle used for authentication.
  2960. properties:
  2961. key:
  2962. description: |-
  2963. A key in the referenced Secret.
  2964. Some instances of this field may be defaulted, in others it may be required.
  2965. maxLength: 253
  2966. minLength: 1
  2967. pattern: ^[-._a-zA-Z0-9]+$
  2968. type: string
  2969. name:
  2970. description: The name of the Secret resource being referred to.
  2971. maxLength: 253
  2972. minLength: 1
  2973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2974. type: string
  2975. namespace:
  2976. description: |-
  2977. The namespace of the Secret resource being referred to.
  2978. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2979. maxLength: 63
  2980. minLength: 1
  2981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2982. type: string
  2983. type: object
  2984. tenantId:
  2985. description: The Azure tenantId of the managed identity used for authentication.
  2986. properties:
  2987. key:
  2988. description: |-
  2989. A key in the referenced Secret.
  2990. Some instances of this field may be defaulted, in others it may be required.
  2991. maxLength: 253
  2992. minLength: 1
  2993. pattern: ^[-._a-zA-Z0-9]+$
  2994. type: string
  2995. name:
  2996. description: The name of the Secret resource being referred to.
  2997. maxLength: 253
  2998. minLength: 1
  2999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3000. type: string
  3001. namespace:
  3002. description: |-
  3003. The namespace of the Secret resource being referred to.
  3004. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3005. maxLength: 63
  3006. minLength: 1
  3007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3008. type: string
  3009. type: object
  3010. type: object
  3011. authType:
  3012. default: ServicePrincipal
  3013. description: |-
  3014. Auth type defines how to authenticate to the keyvault service.
  3015. Valid values are:
  3016. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  3017. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  3018. - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID
  3019. enum:
  3020. - ServicePrincipal
  3021. - ManagedIdentity
  3022. - WorkloadIdentity
  3023. type: string
  3024. customCloudConfig:
  3025. description: |-
  3026. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  3027. Required when EnvironmentType is AzureStackCloud.
  3028. Optional for other environment types - useful for Azure China when using Workload Identity
  3029. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  3030. standard China Cloud endpoint (login.chinacloudapi.cn).
  3031. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  3032. configuration is not supported with the legacy go-autorest SDK.
  3033. properties:
  3034. activeDirectoryEndpoint:
  3035. description: |-
  3036. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  3037. Required when using custom cloud configuration
  3038. type: string
  3039. keyVaultDNSSuffix:
  3040. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  3041. type: string
  3042. keyVaultEndpoint:
  3043. description: KeyVaultEndpoint is the Key Vault service endpoint
  3044. type: string
  3045. resourceManagerEndpoint:
  3046. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  3047. type: string
  3048. required:
  3049. - activeDirectoryEndpoint
  3050. type: object
  3051. environmentType:
  3052. default: PublicCloud
  3053. description: |-
  3054. EnvironmentType specifies the Azure cloud environment endpoints to use for
  3055. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  3056. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  3057. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  3058. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  3059. enum:
  3060. - PublicCloud
  3061. - USGovernmentCloud
  3062. - ChinaCloud
  3063. - GermanCloud
  3064. - AzureStackCloud
  3065. type: string
  3066. identityId:
  3067. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3068. type: string
  3069. serviceAccountRef:
  3070. description: |-
  3071. ServiceAccountRef specified the service account
  3072. that should be used when authenticating with WorkloadIdentity.
  3073. properties:
  3074. audiences:
  3075. description: |-
  3076. Audience specifies the `aud` claim for the service account token
  3077. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3078. then this audiences will be appended to the list
  3079. items:
  3080. type: string
  3081. type: array
  3082. name:
  3083. description: The name of the ServiceAccount resource being referred to.
  3084. maxLength: 253
  3085. minLength: 1
  3086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3087. type: string
  3088. namespace:
  3089. description: |-
  3090. Namespace of the resource being referred to.
  3091. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3092. maxLength: 63
  3093. minLength: 1
  3094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3095. type: string
  3096. required:
  3097. - name
  3098. type: object
  3099. tenantId:
  3100. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3101. type: string
  3102. useAzureSDK:
  3103. default: false
  3104. description: |-
  3105. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3106. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3107. type: boolean
  3108. vaultUrl:
  3109. description: Vault Url from which the secrets to be fetched from.
  3110. type: string
  3111. required:
  3112. - vaultUrl
  3113. type: object
  3114. barbican:
  3115. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3116. properties:
  3117. auth:
  3118. description: BarbicanAuth contains the authentication information for Barbican.
  3119. properties:
  3120. password:
  3121. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3122. properties:
  3123. secretRef:
  3124. description: |-
  3125. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3126. In some instances, `key` is a required field.
  3127. properties:
  3128. key:
  3129. description: |-
  3130. A key in the referenced Secret.
  3131. Some instances of this field may be defaulted, in others it may be required.
  3132. maxLength: 253
  3133. minLength: 1
  3134. pattern: ^[-._a-zA-Z0-9]+$
  3135. type: string
  3136. name:
  3137. description: The name of the Secret resource being referred to.
  3138. maxLength: 253
  3139. minLength: 1
  3140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3141. type: string
  3142. namespace:
  3143. description: |-
  3144. The namespace of the Secret resource being referred to.
  3145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3146. maxLength: 63
  3147. minLength: 1
  3148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3149. type: string
  3150. type: object
  3151. required:
  3152. - secretRef
  3153. type: object
  3154. username:
  3155. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3156. maxProperties: 1
  3157. minProperties: 1
  3158. properties:
  3159. secretRef:
  3160. description: |-
  3161. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3162. In some instances, `key` is a required field.
  3163. properties:
  3164. key:
  3165. description: |-
  3166. A key in the referenced Secret.
  3167. Some instances of this field may be defaulted, in others it may be required.
  3168. maxLength: 253
  3169. minLength: 1
  3170. pattern: ^[-._a-zA-Z0-9]+$
  3171. type: string
  3172. name:
  3173. description: The name of the Secret resource being referred to.
  3174. maxLength: 253
  3175. minLength: 1
  3176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3177. type: string
  3178. namespace:
  3179. description: |-
  3180. The namespace of the Secret resource being referred to.
  3181. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3182. maxLength: 63
  3183. minLength: 1
  3184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3185. type: string
  3186. type: object
  3187. value:
  3188. type: string
  3189. type: object
  3190. required:
  3191. - password
  3192. - username
  3193. type: object
  3194. authURL:
  3195. type: string
  3196. domainName:
  3197. type: string
  3198. region:
  3199. type: string
  3200. tenantName:
  3201. type: string
  3202. required:
  3203. - auth
  3204. type: object
  3205. beyondtrust:
  3206. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3207. properties:
  3208. auth:
  3209. description: Auth configures how the operator authenticates with Beyondtrust.
  3210. properties:
  3211. apiKey:
  3212. description: APIKey If not provided then ClientID/ClientSecret become required.
  3213. properties:
  3214. secretRef:
  3215. description: SecretRef references a key in a secret that will be used as value.
  3216. properties:
  3217. key:
  3218. description: |-
  3219. A key in the referenced Secret.
  3220. Some instances of this field may be defaulted, in others it may be required.
  3221. maxLength: 253
  3222. minLength: 1
  3223. pattern: ^[-._a-zA-Z0-9]+$
  3224. type: string
  3225. name:
  3226. description: The name of the Secret resource being referred to.
  3227. maxLength: 253
  3228. minLength: 1
  3229. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3230. type: string
  3231. namespace:
  3232. description: |-
  3233. The namespace of the Secret resource being referred to.
  3234. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3235. maxLength: 63
  3236. minLength: 1
  3237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3238. type: string
  3239. type: object
  3240. value:
  3241. description: Value can be specified directly to set a value without using a secret.
  3242. type: string
  3243. type: object
  3244. certificate:
  3245. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3246. properties:
  3247. secretRef:
  3248. description: SecretRef references a key in a secret that will be used as value.
  3249. properties:
  3250. key:
  3251. description: |-
  3252. A key in the referenced Secret.
  3253. Some instances of this field may be defaulted, in others it may be required.
  3254. maxLength: 253
  3255. minLength: 1
  3256. pattern: ^[-._a-zA-Z0-9]+$
  3257. type: string
  3258. name:
  3259. description: The name of the Secret resource being referred to.
  3260. maxLength: 253
  3261. minLength: 1
  3262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3263. type: string
  3264. namespace:
  3265. description: |-
  3266. The namespace of the Secret resource being referred to.
  3267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3268. maxLength: 63
  3269. minLength: 1
  3270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3271. type: string
  3272. type: object
  3273. value:
  3274. description: Value can be specified directly to set a value without using a secret.
  3275. type: string
  3276. type: object
  3277. certificateKey:
  3278. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3279. properties:
  3280. secretRef:
  3281. description: SecretRef references a key in a secret that will be used as value.
  3282. properties:
  3283. key:
  3284. description: |-
  3285. A key in the referenced Secret.
  3286. Some instances of this field may be defaulted, in others it may be required.
  3287. maxLength: 253
  3288. minLength: 1
  3289. pattern: ^[-._a-zA-Z0-9]+$
  3290. type: string
  3291. name:
  3292. description: The name of the Secret resource being referred to.
  3293. maxLength: 253
  3294. minLength: 1
  3295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3296. type: string
  3297. namespace:
  3298. description: |-
  3299. The namespace of the Secret resource being referred to.
  3300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3301. maxLength: 63
  3302. minLength: 1
  3303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3304. type: string
  3305. type: object
  3306. value:
  3307. description: Value can be specified directly to set a value without using a secret.
  3308. type: string
  3309. type: object
  3310. clientId:
  3311. description: ClientID is the API OAuth Client ID.
  3312. properties:
  3313. secretRef:
  3314. description: SecretRef references a key in a secret that will be used as value.
  3315. properties:
  3316. key:
  3317. description: |-
  3318. A key in the referenced Secret.
  3319. Some instances of this field may be defaulted, in others it may be required.
  3320. maxLength: 253
  3321. minLength: 1
  3322. pattern: ^[-._a-zA-Z0-9]+$
  3323. type: string
  3324. name:
  3325. description: The name of the Secret resource being referred to.
  3326. maxLength: 253
  3327. minLength: 1
  3328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3329. type: string
  3330. namespace:
  3331. description: |-
  3332. The namespace of the Secret resource being referred to.
  3333. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3334. maxLength: 63
  3335. minLength: 1
  3336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3337. type: string
  3338. type: object
  3339. value:
  3340. description: Value can be specified directly to set a value without using a secret.
  3341. type: string
  3342. type: object
  3343. clientSecret:
  3344. description: ClientSecret is the API OAuth Client Secret.
  3345. properties:
  3346. secretRef:
  3347. description: SecretRef references a key in a secret that will be used as value.
  3348. properties:
  3349. key:
  3350. description: |-
  3351. A key in the referenced Secret.
  3352. Some instances of this field may be defaulted, in others it may be required.
  3353. maxLength: 253
  3354. minLength: 1
  3355. pattern: ^[-._a-zA-Z0-9]+$
  3356. type: string
  3357. name:
  3358. description: The name of the Secret resource being referred to.
  3359. maxLength: 253
  3360. minLength: 1
  3361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3362. type: string
  3363. namespace:
  3364. description: |-
  3365. The namespace of the Secret resource being referred to.
  3366. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3367. maxLength: 63
  3368. minLength: 1
  3369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3370. type: string
  3371. type: object
  3372. value:
  3373. description: Value can be specified directly to set a value without using a secret.
  3374. type: string
  3375. type: object
  3376. type: object
  3377. server:
  3378. description: Auth configures how API server works.
  3379. properties:
  3380. apiUrl:
  3381. type: string
  3382. apiVersion:
  3383. type: string
  3384. clientTimeOutSeconds:
  3385. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3386. type: integer
  3387. decrypt:
  3388. default: true
  3389. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3390. type: boolean
  3391. retrievalType:
  3392. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3393. type: string
  3394. separator:
  3395. description: A character that separates the folder names.
  3396. type: string
  3397. verifyCA:
  3398. type: boolean
  3399. required:
  3400. - apiUrl
  3401. - verifyCA
  3402. type: object
  3403. required:
  3404. - auth
  3405. - server
  3406. type: object
  3407. beyondtrustworkloadcredentials:
  3408. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  3409. properties:
  3410. auth:
  3411. description: |-
  3412. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  3413. Currently supports API key authentication via Kubernetes secret reference.
  3414. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3415. properties:
  3416. apikey:
  3417. description: |-
  3418. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  3419. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  3420. properties:
  3421. token:
  3422. description: |-
  3423. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  3424. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  3425. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  3426. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3427. properties:
  3428. key:
  3429. description: |-
  3430. A key in the referenced Secret.
  3431. Some instances of this field may be defaulted, in others it may be required.
  3432. maxLength: 253
  3433. minLength: 1
  3434. pattern: ^[-._a-zA-Z0-9]+$
  3435. type: string
  3436. name:
  3437. description: The name of the Secret resource being referred to.
  3438. maxLength: 253
  3439. minLength: 1
  3440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3441. type: string
  3442. namespace:
  3443. description: |-
  3444. The namespace of the Secret resource being referred to.
  3445. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3446. maxLength: 63
  3447. minLength: 1
  3448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3449. type: string
  3450. type: object
  3451. required:
  3452. - token
  3453. type: object
  3454. required:
  3455. - apikey
  3456. type: object
  3457. caBundle:
  3458. description: |-
  3459. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3460. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  3461. If not set, the system's trusted root certificates are used.
  3462. format: byte
  3463. type: string
  3464. caProvider:
  3465. description: |-
  3466. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  3467. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3468. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  3469. properties:
  3470. key:
  3471. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3472. maxLength: 253
  3473. minLength: 1
  3474. pattern: ^[-._a-zA-Z0-9]+$
  3475. type: string
  3476. name:
  3477. description: The name of the object located at the provider type.
  3478. maxLength: 253
  3479. minLength: 1
  3480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3481. type: string
  3482. namespace:
  3483. description: |-
  3484. The namespace the Provider type is in.
  3485. Can only be defined when used in a ClusterSecretStore.
  3486. maxLength: 63
  3487. minLength: 1
  3488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3489. type: string
  3490. type:
  3491. description: The type of provider to use such as "Secret", or "ConfigMap".
  3492. enum:
  3493. - Secret
  3494. - ConfigMap
  3495. type: string
  3496. required:
  3497. - name
  3498. - type
  3499. type: object
  3500. folderPath:
  3501. description: |-
  3502. FolderPath specifies the default folder path for secret retrieval.
  3503. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  3504. Example: "production/database" or "dev/api-keys"
  3505. Leave empty to retrieve secrets from the root folder.
  3506. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  3507. type: string
  3508. server:
  3509. description: |-
  3510. Server configures the BeyondTrust Workload Credentials server connection details.
  3511. Includes the API URL and Site ID for your BeyondTrust instance.
  3512. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3513. properties:
  3514. apiUrl:
  3515. description: |-
  3516. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  3517. This should be the full URL to your BeyondTrust instance.
  3518. Example: https://api.beyondtrust.io/siie
  3519. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  3520. type: string
  3521. siteId:
  3522. description: |-
  3523. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  3524. This identifier is unique to your BeyondTrust Workload Credentials instance.
  3525. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  3526. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  3527. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3528. type: string
  3529. required:
  3530. - apiUrl
  3531. - siteId
  3532. type: object
  3533. required:
  3534. - auth
  3535. - server
  3536. type: object
  3537. bitwardensecretsmanager:
  3538. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3539. properties:
  3540. apiURL:
  3541. type: string
  3542. auth:
  3543. description: |-
  3544. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3545. Make sure that the token being used has permissions on the given secret.
  3546. properties:
  3547. secretRef:
  3548. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3549. properties:
  3550. credentials:
  3551. description: AccessToken used for the bitwarden instance.
  3552. properties:
  3553. key:
  3554. description: |-
  3555. A key in the referenced Secret.
  3556. Some instances of this field may be defaulted, in others it may be required.
  3557. maxLength: 253
  3558. minLength: 1
  3559. pattern: ^[-._a-zA-Z0-9]+$
  3560. type: string
  3561. name:
  3562. description: The name of the Secret resource being referred to.
  3563. maxLength: 253
  3564. minLength: 1
  3565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3566. type: string
  3567. namespace:
  3568. description: |-
  3569. The namespace of the Secret resource being referred to.
  3570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3571. maxLength: 63
  3572. minLength: 1
  3573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3574. type: string
  3575. type: object
  3576. required:
  3577. - credentials
  3578. type: object
  3579. required:
  3580. - secretRef
  3581. type: object
  3582. bitwardenServerSDKURL:
  3583. type: string
  3584. caBundle:
  3585. description: |-
  3586. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3587. can be performed.
  3588. type: string
  3589. caProvider:
  3590. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3591. properties:
  3592. key:
  3593. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3594. maxLength: 253
  3595. minLength: 1
  3596. pattern: ^[-._a-zA-Z0-9]+$
  3597. type: string
  3598. name:
  3599. description: The name of the object located at the provider type.
  3600. maxLength: 253
  3601. minLength: 1
  3602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3603. type: string
  3604. namespace:
  3605. description: |-
  3606. The namespace the Provider type is in.
  3607. Can only be defined when used in a ClusterSecretStore.
  3608. maxLength: 63
  3609. minLength: 1
  3610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3611. type: string
  3612. type:
  3613. description: The type of provider to use such as "Secret", or "ConfigMap".
  3614. enum:
  3615. - Secret
  3616. - ConfigMap
  3617. type: string
  3618. required:
  3619. - name
  3620. - type
  3621. type: object
  3622. identityURL:
  3623. type: string
  3624. organizationID:
  3625. description: OrganizationID determines which organization this secret store manages.
  3626. type: string
  3627. projectID:
  3628. description: ProjectID determines which project this secret store manages.
  3629. type: string
  3630. required:
  3631. - auth
  3632. - organizationID
  3633. - projectID
  3634. type: object
  3635. chef:
  3636. description: Chef configures this store to sync secrets with chef server
  3637. properties:
  3638. auth:
  3639. description: Auth defines the information necessary to authenticate against chef Server
  3640. properties:
  3641. secretRef:
  3642. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3643. properties:
  3644. privateKeySecretRef:
  3645. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3646. properties:
  3647. key:
  3648. description: |-
  3649. A key in the referenced Secret.
  3650. Some instances of this field may be defaulted, in others it may be required.
  3651. maxLength: 253
  3652. minLength: 1
  3653. pattern: ^[-._a-zA-Z0-9]+$
  3654. type: string
  3655. name:
  3656. description: The name of the Secret resource being referred to.
  3657. maxLength: 253
  3658. minLength: 1
  3659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3660. type: string
  3661. namespace:
  3662. description: |-
  3663. The namespace of the Secret resource being referred to.
  3664. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3665. maxLength: 63
  3666. minLength: 1
  3667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3668. type: string
  3669. type: object
  3670. required:
  3671. - privateKeySecretRef
  3672. type: object
  3673. required:
  3674. - secretRef
  3675. type: object
  3676. serverUrl:
  3677. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3678. type: string
  3679. username:
  3680. description: UserName should be the user ID on the chef server
  3681. type: string
  3682. required:
  3683. - auth
  3684. - serverUrl
  3685. - username
  3686. type: object
  3687. cloudrusm:
  3688. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3689. properties:
  3690. auth:
  3691. description: CSMAuth contains a secretRef for credentials.
  3692. properties:
  3693. secretRef:
  3694. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3695. properties:
  3696. accessKeyIDSecretRef:
  3697. description: The AccessKeyID is used for authentication
  3698. properties:
  3699. key:
  3700. description: |-
  3701. A key in the referenced Secret.
  3702. Some instances of this field may be defaulted, in others it may be required.
  3703. maxLength: 253
  3704. minLength: 1
  3705. pattern: ^[-._a-zA-Z0-9]+$
  3706. type: string
  3707. name:
  3708. description: The name of the Secret resource being referred to.
  3709. maxLength: 253
  3710. minLength: 1
  3711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3712. type: string
  3713. namespace:
  3714. description: |-
  3715. The namespace of the Secret resource being referred to.
  3716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3717. maxLength: 63
  3718. minLength: 1
  3719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3720. type: string
  3721. type: object
  3722. accessKeySecretSecretRef:
  3723. description: The AccessKeySecret is used for authentication
  3724. properties:
  3725. key:
  3726. description: |-
  3727. A key in the referenced Secret.
  3728. Some instances of this field may be defaulted, in others it may be required.
  3729. maxLength: 253
  3730. minLength: 1
  3731. pattern: ^[-._a-zA-Z0-9]+$
  3732. type: string
  3733. name:
  3734. description: The name of the Secret resource being referred to.
  3735. maxLength: 253
  3736. minLength: 1
  3737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3738. type: string
  3739. namespace:
  3740. description: |-
  3741. The namespace of the Secret resource being referred to.
  3742. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3743. maxLength: 63
  3744. minLength: 1
  3745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3746. type: string
  3747. type: object
  3748. required:
  3749. - accessKeyIDSecretRef
  3750. - accessKeySecretSecretRef
  3751. type: object
  3752. type: object
  3753. projectID:
  3754. description: ProjectID is the project, which the secrets are stored in.
  3755. type: string
  3756. required:
  3757. - auth
  3758. type: object
  3759. conjur:
  3760. description: Conjur configures this store to sync secrets using conjur provider
  3761. properties:
  3762. auth:
  3763. description: Defines authentication settings for connecting to Conjur.
  3764. properties:
  3765. apikey:
  3766. description: Authenticates with Conjur using an API key.
  3767. properties:
  3768. account:
  3769. description: Account is the Conjur organization account name.
  3770. type: string
  3771. apiKeyRef:
  3772. description: |-
  3773. A reference to a specific 'key' containing the Conjur API key
  3774. within a Secret resource. In some instances, `key` is a required field.
  3775. properties:
  3776. key:
  3777. description: |-
  3778. A key in the referenced Secret.
  3779. Some instances of this field may be defaulted, in others it may be required.
  3780. maxLength: 253
  3781. minLength: 1
  3782. pattern: ^[-._a-zA-Z0-9]+$
  3783. type: string
  3784. name:
  3785. description: The name of the Secret resource being referred to.
  3786. maxLength: 253
  3787. minLength: 1
  3788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3789. type: string
  3790. namespace:
  3791. description: |-
  3792. The namespace of the Secret resource being referred to.
  3793. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3794. maxLength: 63
  3795. minLength: 1
  3796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3797. type: string
  3798. type: object
  3799. userRef:
  3800. description: |-
  3801. A reference to a specific 'key' containing the Conjur username
  3802. within a Secret resource. In some instances, `key` is a required field.
  3803. properties:
  3804. key:
  3805. description: |-
  3806. A key in the referenced Secret.
  3807. Some instances of this field may be defaulted, in others it may be required.
  3808. maxLength: 253
  3809. minLength: 1
  3810. pattern: ^[-._a-zA-Z0-9]+$
  3811. type: string
  3812. name:
  3813. description: The name of the Secret resource being referred to.
  3814. maxLength: 253
  3815. minLength: 1
  3816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3817. type: string
  3818. namespace:
  3819. description: |-
  3820. The namespace of the Secret resource being referred to.
  3821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3822. maxLength: 63
  3823. minLength: 1
  3824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3825. type: string
  3826. type: object
  3827. required:
  3828. - account
  3829. - apiKeyRef
  3830. - userRef
  3831. type: object
  3832. jwt:
  3833. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3834. properties:
  3835. account:
  3836. description: Account is the Conjur organization account name.
  3837. type: string
  3838. hostId:
  3839. description: |-
  3840. Optional HostID for JWT authentication. This may be used depending
  3841. on how the Conjur JWT authenticator policy is configured.
  3842. type: string
  3843. secretRef:
  3844. description: |-
  3845. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3846. authenticate with Conjur using the JWT authentication method.
  3847. properties:
  3848. key:
  3849. description: |-
  3850. A key in the referenced Secret.
  3851. Some instances of this field may be defaulted, in others it may be required.
  3852. maxLength: 253
  3853. minLength: 1
  3854. pattern: ^[-._a-zA-Z0-9]+$
  3855. type: string
  3856. name:
  3857. description: The name of the Secret resource being referred to.
  3858. maxLength: 253
  3859. minLength: 1
  3860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3861. type: string
  3862. namespace:
  3863. description: |-
  3864. The namespace of the Secret resource being referred to.
  3865. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3866. maxLength: 63
  3867. minLength: 1
  3868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3869. type: string
  3870. type: object
  3871. serviceAccountRef:
  3872. description: |-
  3873. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3874. a token for with the `TokenRequest` API.
  3875. properties:
  3876. audiences:
  3877. description: |-
  3878. Audience specifies the `aud` claim for the service account token
  3879. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3880. then this audiences will be appended to the list
  3881. items:
  3882. type: string
  3883. type: array
  3884. name:
  3885. description: The name of the ServiceAccount resource being referred to.
  3886. maxLength: 253
  3887. minLength: 1
  3888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3889. type: string
  3890. namespace:
  3891. description: |-
  3892. Namespace of the resource being referred to.
  3893. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3894. maxLength: 63
  3895. minLength: 1
  3896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3897. type: string
  3898. required:
  3899. - name
  3900. type: object
  3901. serviceID:
  3902. description: The conjur authn jwt webservice id
  3903. type: string
  3904. required:
  3905. - account
  3906. - serviceID
  3907. type: object
  3908. type: object
  3909. caBundle:
  3910. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3911. type: string
  3912. caProvider:
  3913. description: |-
  3914. Used to provide custom certificate authority (CA) certificates
  3915. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3916. that contains a PEM-encoded certificate.
  3917. properties:
  3918. key:
  3919. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3920. maxLength: 253
  3921. minLength: 1
  3922. pattern: ^[-._a-zA-Z0-9]+$
  3923. type: string
  3924. name:
  3925. description: The name of the object located at the provider type.
  3926. maxLength: 253
  3927. minLength: 1
  3928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3929. type: string
  3930. namespace:
  3931. description: |-
  3932. The namespace the Provider type is in.
  3933. Can only be defined when used in a ClusterSecretStore.
  3934. maxLength: 63
  3935. minLength: 1
  3936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3937. type: string
  3938. type:
  3939. description: The type of provider to use such as "Secret", or "ConfigMap".
  3940. enum:
  3941. - Secret
  3942. - ConfigMap
  3943. type: string
  3944. required:
  3945. - name
  3946. - type
  3947. type: object
  3948. url:
  3949. description: URL is the endpoint of the Conjur instance.
  3950. type: string
  3951. required:
  3952. - auth
  3953. - url
  3954. type: object
  3955. delinea:
  3956. description: |-
  3957. Delinea DevOps Secrets Vault
  3958. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3959. properties:
  3960. clientId:
  3961. description: ClientID is the non-secret part of the credential.
  3962. properties:
  3963. secretRef:
  3964. description: SecretRef references a key in a secret that will be used as value.
  3965. properties:
  3966. key:
  3967. description: |-
  3968. A key in the referenced Secret.
  3969. Some instances of this field may be defaulted, in others it may be required.
  3970. maxLength: 253
  3971. minLength: 1
  3972. pattern: ^[-._a-zA-Z0-9]+$
  3973. type: string
  3974. name:
  3975. description: The name of the Secret resource being referred to.
  3976. maxLength: 253
  3977. minLength: 1
  3978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3979. type: string
  3980. namespace:
  3981. description: |-
  3982. The namespace of the Secret resource being referred to.
  3983. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3984. maxLength: 63
  3985. minLength: 1
  3986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3987. type: string
  3988. type: object
  3989. value:
  3990. description: Value can be specified directly to set a value without using a secret.
  3991. type: string
  3992. type: object
  3993. clientSecret:
  3994. description: ClientSecret is the secret part of the credential.
  3995. properties:
  3996. secretRef:
  3997. description: SecretRef references a key in a secret that will be used as value.
  3998. properties:
  3999. key:
  4000. description: |-
  4001. A key in the referenced Secret.
  4002. Some instances of this field may be defaulted, in others it may be required.
  4003. maxLength: 253
  4004. minLength: 1
  4005. pattern: ^[-._a-zA-Z0-9]+$
  4006. type: string
  4007. name:
  4008. description: The name of the Secret resource being referred to.
  4009. maxLength: 253
  4010. minLength: 1
  4011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4012. type: string
  4013. namespace:
  4014. description: |-
  4015. The namespace of the Secret resource being referred to.
  4016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4017. maxLength: 63
  4018. minLength: 1
  4019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4020. type: string
  4021. type: object
  4022. value:
  4023. description: Value can be specified directly to set a value without using a secret.
  4024. type: string
  4025. type: object
  4026. tenant:
  4027. description: Tenant is the chosen hostname / site name.
  4028. type: string
  4029. tld:
  4030. description: |-
  4031. TLD is based on the server location that was chosen during provisioning.
  4032. If unset, defaults to "com".
  4033. type: string
  4034. urlTemplate:
  4035. description: |-
  4036. URLTemplate
  4037. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  4038. type: string
  4039. required:
  4040. - clientId
  4041. - clientSecret
  4042. - tenant
  4043. type: object
  4044. doppler:
  4045. description: Doppler configures this store to sync secrets using the Doppler provider
  4046. properties:
  4047. auth:
  4048. description: Auth configures how the Operator authenticates with the Doppler API
  4049. properties:
  4050. oidcConfig:
  4051. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  4052. properties:
  4053. expirationSeconds:
  4054. default: 600
  4055. description: |-
  4056. ExpirationSeconds sets the ServiceAccount token validity duration.
  4057. Defaults to 10 minutes.
  4058. format: int64
  4059. type: integer
  4060. identity:
  4061. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  4062. type: string
  4063. serviceAccountRef:
  4064. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  4065. properties:
  4066. audiences:
  4067. description: |-
  4068. Audience specifies the `aud` claim for the service account token
  4069. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4070. then this audiences will be appended to the list
  4071. items:
  4072. type: string
  4073. type: array
  4074. name:
  4075. description: The name of the ServiceAccount resource being referred to.
  4076. maxLength: 253
  4077. minLength: 1
  4078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4079. type: string
  4080. namespace:
  4081. description: |-
  4082. Namespace of the resource being referred to.
  4083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4084. maxLength: 63
  4085. minLength: 1
  4086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4087. type: string
  4088. required:
  4089. - name
  4090. type: object
  4091. required:
  4092. - identity
  4093. - serviceAccountRef
  4094. type: object
  4095. secretRef:
  4096. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  4097. properties:
  4098. dopplerToken:
  4099. description: |-
  4100. The DopplerToken is used for authentication.
  4101. See https://docs.doppler.com/reference/api#authentication for auth token types.
  4102. The Key attribute defaults to dopplerToken if not specified.
  4103. properties:
  4104. key:
  4105. description: |-
  4106. A key in the referenced Secret.
  4107. Some instances of this field may be defaulted, in others it may be required.
  4108. maxLength: 253
  4109. minLength: 1
  4110. pattern: ^[-._a-zA-Z0-9]+$
  4111. type: string
  4112. name:
  4113. description: The name of the Secret resource being referred to.
  4114. maxLength: 253
  4115. minLength: 1
  4116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4117. type: string
  4118. namespace:
  4119. description: |-
  4120. The namespace of the Secret resource being referred to.
  4121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4122. maxLength: 63
  4123. minLength: 1
  4124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4125. type: string
  4126. type: object
  4127. required:
  4128. - dopplerToken
  4129. type: object
  4130. type: object
  4131. x-kubernetes-validations:
  4132. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  4133. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  4134. config:
  4135. description: Doppler config (required if not using a Service Token)
  4136. type: string
  4137. format:
  4138. description: Format enables the downloading of secrets as a file (string)
  4139. enum:
  4140. - json
  4141. - dotnet-json
  4142. - env
  4143. - yaml
  4144. - docker
  4145. type: string
  4146. nameTransformer:
  4147. description: Environment variable compatible name transforms that change secret names to a different format
  4148. enum:
  4149. - upper-camel
  4150. - camel
  4151. - lower-snake
  4152. - tf-var
  4153. - dotnet-env
  4154. - lower-kebab
  4155. type: string
  4156. project:
  4157. description: Doppler project (required if not using a Service Token)
  4158. type: string
  4159. required:
  4160. - auth
  4161. type: object
  4162. dvls:
  4163. description: DVLS configures this store to sync secrets using Devolutions Server provider
  4164. properties:
  4165. auth:
  4166. description: Auth defines the authentication method to use.
  4167. properties:
  4168. secretRef:
  4169. description: SecretRef contains the Application ID and Application Secret for authentication.
  4170. properties:
  4171. appId:
  4172. description: AppID is the reference to the secret containing the Application ID.
  4173. properties:
  4174. key:
  4175. description: |-
  4176. A key in the referenced Secret.
  4177. Some instances of this field may be defaulted, in others it may be required.
  4178. maxLength: 253
  4179. minLength: 1
  4180. pattern: ^[-._a-zA-Z0-9]+$
  4181. type: string
  4182. name:
  4183. description: The name of the Secret resource being referred to.
  4184. maxLength: 253
  4185. minLength: 1
  4186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4187. type: string
  4188. namespace:
  4189. description: |-
  4190. The namespace of the Secret resource being referred to.
  4191. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4192. maxLength: 63
  4193. minLength: 1
  4194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4195. type: string
  4196. type: object
  4197. appSecret:
  4198. description: AppSecret is the reference to the secret containing the Application Secret.
  4199. properties:
  4200. key:
  4201. description: |-
  4202. A key in the referenced Secret.
  4203. Some instances of this field may be defaulted, in others it may be required.
  4204. maxLength: 253
  4205. minLength: 1
  4206. pattern: ^[-._a-zA-Z0-9]+$
  4207. type: string
  4208. name:
  4209. description: The name of the Secret resource being referred to.
  4210. maxLength: 253
  4211. minLength: 1
  4212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4213. type: string
  4214. namespace:
  4215. description: |-
  4216. The namespace of the Secret resource being referred to.
  4217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4218. maxLength: 63
  4219. minLength: 1
  4220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4221. type: string
  4222. type: object
  4223. required:
  4224. - appId
  4225. - appSecret
  4226. type: object
  4227. required:
  4228. - secretRef
  4229. type: object
  4230. insecure:
  4231. description: |-
  4232. Insecure allows connecting to DVLS over plain HTTP.
  4233. This is NOT RECOMMENDED for production use.
  4234. Set to true only if you understand the security implications.
  4235. type: boolean
  4236. serverUrl:
  4237. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4238. type: string
  4239. vault:
  4240. description: |-
  4241. Vault is the name or UUID of the vault to fetch secrets from.
  4242. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4243. type: string
  4244. required:
  4245. - auth
  4246. - serverUrl
  4247. type: object
  4248. fake:
  4249. description: Fake configures a store with static key/value pairs
  4250. properties:
  4251. data:
  4252. items:
  4253. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4254. properties:
  4255. key:
  4256. type: string
  4257. value:
  4258. type: string
  4259. version:
  4260. type: string
  4261. required:
  4262. - key
  4263. - value
  4264. type: object
  4265. type: array
  4266. validationResult:
  4267. description: ValidationResult is defined type for the number of validation results.
  4268. type: integer
  4269. required:
  4270. - data
  4271. type: object
  4272. fortanix:
  4273. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4274. properties:
  4275. apiKey:
  4276. description: APIKey is the API token to access SDKMS Applications.
  4277. properties:
  4278. secretRef:
  4279. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4280. properties:
  4281. key:
  4282. description: |-
  4283. A key in the referenced Secret.
  4284. Some instances of this field may be defaulted, in others it may be required.
  4285. maxLength: 253
  4286. minLength: 1
  4287. pattern: ^[-._a-zA-Z0-9]+$
  4288. type: string
  4289. name:
  4290. description: The name of the Secret resource being referred to.
  4291. maxLength: 253
  4292. minLength: 1
  4293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4294. type: string
  4295. namespace:
  4296. description: |-
  4297. The namespace of the Secret resource being referred to.
  4298. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4299. maxLength: 63
  4300. minLength: 1
  4301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4302. type: string
  4303. type: object
  4304. type: object
  4305. apiUrl:
  4306. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4307. type: string
  4308. type: object
  4309. gcpsm:
  4310. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4311. properties:
  4312. auth:
  4313. description: Auth defines the information necessary to authenticate against GCP
  4314. properties:
  4315. secretRef:
  4316. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4317. properties:
  4318. secretAccessKeySecretRef:
  4319. description: The SecretAccessKey is used for authentication
  4320. properties:
  4321. key:
  4322. description: |-
  4323. A key in the referenced Secret.
  4324. Some instances of this field may be defaulted, in others it may be required.
  4325. maxLength: 253
  4326. minLength: 1
  4327. pattern: ^[-._a-zA-Z0-9]+$
  4328. type: string
  4329. name:
  4330. description: The name of the Secret resource being referred to.
  4331. maxLength: 253
  4332. minLength: 1
  4333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4334. type: string
  4335. namespace:
  4336. description: |-
  4337. The namespace of the Secret resource being referred to.
  4338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4339. maxLength: 63
  4340. minLength: 1
  4341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4342. type: string
  4343. type: object
  4344. type: object
  4345. workloadIdentity:
  4346. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4347. properties:
  4348. clusterLocation:
  4349. description: |-
  4350. ClusterLocation is the location of the cluster
  4351. If not specified, it fetches information from the metadata server
  4352. type: string
  4353. clusterName:
  4354. description: |-
  4355. ClusterName is the name of the cluster
  4356. If not specified, it fetches information from the metadata server
  4357. type: string
  4358. clusterProjectID:
  4359. description: |-
  4360. ClusterProjectID is the project ID of the cluster
  4361. If not specified, it fetches information from the metadata server
  4362. type: string
  4363. serviceAccountRef:
  4364. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4365. properties:
  4366. audiences:
  4367. description: |-
  4368. Audience specifies the `aud` claim for the service account token
  4369. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4370. then this audiences will be appended to the list
  4371. items:
  4372. type: string
  4373. type: array
  4374. name:
  4375. description: The name of the ServiceAccount resource being referred to.
  4376. maxLength: 253
  4377. minLength: 1
  4378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4379. type: string
  4380. namespace:
  4381. description: |-
  4382. Namespace of the resource being referred to.
  4383. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4384. maxLength: 63
  4385. minLength: 1
  4386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4387. type: string
  4388. required:
  4389. - name
  4390. type: object
  4391. required:
  4392. - serviceAccountRef
  4393. type: object
  4394. workloadIdentityFederation:
  4395. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4396. properties:
  4397. audience:
  4398. description: |-
  4399. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4400. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4401. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4402. type: string
  4403. awsSecurityCredentials:
  4404. description: |-
  4405. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4406. when using the AWS metadata server is not an option.
  4407. properties:
  4408. awsCredentialsSecretRef:
  4409. description: |-
  4410. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4411. Secret should be created with below names for keys
  4412. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4413. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4414. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4415. properties:
  4416. name:
  4417. description: name of the secret.
  4418. maxLength: 253
  4419. minLength: 1
  4420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4421. type: string
  4422. namespace:
  4423. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4424. maxLength: 63
  4425. minLength: 1
  4426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4427. type: string
  4428. required:
  4429. - name
  4430. type: object
  4431. region:
  4432. description: region is for configuring the AWS region to be used.
  4433. example: ap-south-1
  4434. maxLength: 50
  4435. minLength: 1
  4436. pattern: ^[a-z0-9-]+$
  4437. type: string
  4438. required:
  4439. - awsCredentialsSecretRef
  4440. - region
  4441. type: object
  4442. credConfig:
  4443. description: |-
  4444. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4445. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4446. serviceAccountRef must be used by providing operators service account details.
  4447. properties:
  4448. key:
  4449. description: key name holding the external account credential config.
  4450. maxLength: 253
  4451. minLength: 1
  4452. pattern: ^[-._a-zA-Z0-9]+$
  4453. type: string
  4454. name:
  4455. description: name of the configmap.
  4456. maxLength: 253
  4457. minLength: 1
  4458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4459. type: string
  4460. namespace:
  4461. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4462. maxLength: 63
  4463. minLength: 1
  4464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4465. type: string
  4466. required:
  4467. - key
  4468. - name
  4469. type: object
  4470. externalTokenEndpoint:
  4471. description: |-
  4472. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4473. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4474. URL is having the expected value.
  4475. type: string
  4476. gcpServiceAccountEmail:
  4477. description: |-
  4478. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4479. after Workload Identity Federation. Use this to grant access through the service account's
  4480. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4481. service_account_impersonation_url in the external account JSON from credConfig;
  4482. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4483. on that ServiceAccount.
  4484. example: my-gsa@my-project.iam.gserviceaccount.com
  4485. minLength: 1
  4486. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4487. type: string
  4488. serviceAccountRef:
  4489. description: |-
  4490. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4491. when Kubernetes is configured as provider in workload identity pool.
  4492. properties:
  4493. audiences:
  4494. description: |-
  4495. Audience specifies the `aud` claim for the service account token
  4496. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4497. then this audiences will be appended to the list
  4498. items:
  4499. type: string
  4500. type: array
  4501. name:
  4502. description: The name of the ServiceAccount resource being referred to.
  4503. maxLength: 253
  4504. minLength: 1
  4505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4506. type: string
  4507. namespace:
  4508. description: |-
  4509. Namespace of the resource being referred to.
  4510. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4511. maxLength: 63
  4512. minLength: 1
  4513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4514. type: string
  4515. required:
  4516. - name
  4517. type: object
  4518. type: object
  4519. type: object
  4520. location:
  4521. description: Location optionally defines a location for a secret
  4522. type: string
  4523. projectID:
  4524. description: ProjectID project where secret is located
  4525. type: string
  4526. secretVersionSelectionPolicy:
  4527. default: LatestOrFail
  4528. description: |-
  4529. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4530. when "latest" is disabled or destroyed.
  4531. Possible values are:
  4532. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4533. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4534. type: string
  4535. type: object
  4536. github:
  4537. description: |-
  4538. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4539. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4540. properties:
  4541. appID:
  4542. description: appID specifies the Github APP that will be used to authenticate the client
  4543. format: int64
  4544. type: integer
  4545. auth:
  4546. description: auth configures how secret-manager authenticates with a Github instance.
  4547. properties:
  4548. privateKey:
  4549. description: |-
  4550. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4551. In some instances, `key` is a required field.
  4552. properties:
  4553. key:
  4554. description: |-
  4555. A key in the referenced Secret.
  4556. Some instances of this field may be defaulted, in others it may be required.
  4557. maxLength: 253
  4558. minLength: 1
  4559. pattern: ^[-._a-zA-Z0-9]+$
  4560. type: string
  4561. name:
  4562. description: The name of the Secret resource being referred to.
  4563. maxLength: 253
  4564. minLength: 1
  4565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4566. type: string
  4567. namespace:
  4568. description: |-
  4569. The namespace of the Secret resource being referred to.
  4570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4571. maxLength: 63
  4572. minLength: 1
  4573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4574. type: string
  4575. type: object
  4576. required:
  4577. - privateKey
  4578. type: object
  4579. environment:
  4580. description: environment will be used to fetch secrets from a particular environment within a github repository
  4581. type: string
  4582. installationID:
  4583. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4584. format: int64
  4585. type: integer
  4586. orgSecretVisibility:
  4587. description: |-
  4588. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4589. Valid values are "all" or "private".
  4590. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4591. whatever visibility they already have in GitHub.
  4592. enum:
  4593. - all
  4594. - private
  4595. type: string
  4596. organization:
  4597. description: organization will be used to fetch secrets from the Github organization
  4598. type: string
  4599. repository:
  4600. description: repository will be used to fetch secrets from the Github repository within an organization
  4601. type: string
  4602. uploadURL:
  4603. description: Upload URL for enterprise instances. Default to URL.
  4604. type: string
  4605. url:
  4606. default: https://github.com/
  4607. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4608. type: string
  4609. required:
  4610. - appID
  4611. - auth
  4612. - installationID
  4613. - organization
  4614. type: object
  4615. gitlab:
  4616. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4617. properties:
  4618. auth:
  4619. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4620. properties:
  4621. SecretRef:
  4622. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4623. properties:
  4624. accessToken:
  4625. description: AccessToken is used for authentication.
  4626. properties:
  4627. key:
  4628. description: |-
  4629. A key in the referenced Secret.
  4630. Some instances of this field may be defaulted, in others it may be required.
  4631. maxLength: 253
  4632. minLength: 1
  4633. pattern: ^[-._a-zA-Z0-9]+$
  4634. type: string
  4635. name:
  4636. description: The name of the Secret resource being referred to.
  4637. maxLength: 253
  4638. minLength: 1
  4639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4640. type: string
  4641. namespace:
  4642. description: |-
  4643. The namespace of the Secret resource being referred to.
  4644. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4645. maxLength: 63
  4646. minLength: 1
  4647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4648. type: string
  4649. type: object
  4650. type: object
  4651. required:
  4652. - SecretRef
  4653. type: object
  4654. caBundle:
  4655. description: |-
  4656. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4657. can be performed.
  4658. format: byte
  4659. type: string
  4660. caProvider:
  4661. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4662. properties:
  4663. key:
  4664. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4665. maxLength: 253
  4666. minLength: 1
  4667. pattern: ^[-._a-zA-Z0-9]+$
  4668. type: string
  4669. name:
  4670. description: The name of the object located at the provider type.
  4671. maxLength: 253
  4672. minLength: 1
  4673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4674. type: string
  4675. namespace:
  4676. description: |-
  4677. The namespace the Provider type is in.
  4678. Can only be defined when used in a ClusterSecretStore.
  4679. maxLength: 63
  4680. minLength: 1
  4681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4682. type: string
  4683. type:
  4684. description: The type of provider to use such as "Secret", or "ConfigMap".
  4685. enum:
  4686. - Secret
  4687. - ConfigMap
  4688. type: string
  4689. required:
  4690. - name
  4691. - type
  4692. type: object
  4693. environment:
  4694. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4695. type: string
  4696. groupIDs:
  4697. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4698. items:
  4699. type: string
  4700. type: array
  4701. inheritFromGroups:
  4702. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4703. type: boolean
  4704. projectID:
  4705. description: ProjectID specifies a project where secrets are located.
  4706. type: string
  4707. url:
  4708. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4709. type: string
  4710. required:
  4711. - auth
  4712. type: object
  4713. ibm:
  4714. description: IBM configures this store to sync secrets using IBM Cloud provider
  4715. properties:
  4716. auth:
  4717. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4718. maxProperties: 1
  4719. minProperties: 1
  4720. properties:
  4721. containerAuth:
  4722. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4723. properties:
  4724. iamEndpoint:
  4725. type: string
  4726. profile:
  4727. description: the IBM Trusted Profile
  4728. type: string
  4729. tokenLocation:
  4730. description: Location the token is mounted on the pod
  4731. type: string
  4732. required:
  4733. - profile
  4734. type: object
  4735. secretRef:
  4736. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4737. properties:
  4738. iamEndpoint:
  4739. description: The IAM endpoint used to obain a token
  4740. type: string
  4741. secretApiKeySecretRef:
  4742. description: The SecretAccessKey is used for authentication
  4743. properties:
  4744. key:
  4745. description: |-
  4746. A key in the referenced Secret.
  4747. Some instances of this field may be defaulted, in others it may be required.
  4748. maxLength: 253
  4749. minLength: 1
  4750. pattern: ^[-._a-zA-Z0-9]+$
  4751. type: string
  4752. name:
  4753. description: The name of the Secret resource being referred to.
  4754. maxLength: 253
  4755. minLength: 1
  4756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4757. type: string
  4758. namespace:
  4759. description: |-
  4760. The namespace of the Secret resource being referred to.
  4761. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4762. maxLength: 63
  4763. minLength: 1
  4764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4765. type: string
  4766. type: object
  4767. type: object
  4768. type: object
  4769. serviceUrl:
  4770. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4771. type: string
  4772. required:
  4773. - auth
  4774. type: object
  4775. infisical:
  4776. description: Infisical configures this store to sync secrets using the Infisical provider
  4777. properties:
  4778. auth:
  4779. description: Auth configures how the Operator authenticates with the Infisical API
  4780. properties:
  4781. awsAuthCredentials:
  4782. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4783. properties:
  4784. identityId:
  4785. description: |-
  4786. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4787. In some instances, `key` is a required field.
  4788. properties:
  4789. key:
  4790. description: |-
  4791. A key in the referenced Secret.
  4792. Some instances of this field may be defaulted, in others it may be required.
  4793. maxLength: 253
  4794. minLength: 1
  4795. pattern: ^[-._a-zA-Z0-9]+$
  4796. type: string
  4797. name:
  4798. description: The name of the Secret resource being referred to.
  4799. maxLength: 253
  4800. minLength: 1
  4801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4802. type: string
  4803. namespace:
  4804. description: |-
  4805. The namespace of the Secret resource being referred to.
  4806. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4807. maxLength: 63
  4808. minLength: 1
  4809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4810. type: string
  4811. type: object
  4812. required:
  4813. - identityId
  4814. type: object
  4815. azureAuthCredentials:
  4816. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4817. properties:
  4818. identityId:
  4819. description: |-
  4820. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4821. In some instances, `key` is a required field.
  4822. properties:
  4823. key:
  4824. description: |-
  4825. A key in the referenced Secret.
  4826. Some instances of this field may be defaulted, in others it may be required.
  4827. maxLength: 253
  4828. minLength: 1
  4829. pattern: ^[-._a-zA-Z0-9]+$
  4830. type: string
  4831. name:
  4832. description: The name of the Secret resource being referred to.
  4833. maxLength: 253
  4834. minLength: 1
  4835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4836. type: string
  4837. namespace:
  4838. description: |-
  4839. The namespace of the Secret resource being referred to.
  4840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4841. maxLength: 63
  4842. minLength: 1
  4843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4844. type: string
  4845. type: object
  4846. resource:
  4847. description: |-
  4848. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4849. In some instances, `key` is a required field.
  4850. properties:
  4851. key:
  4852. description: |-
  4853. A key in the referenced Secret.
  4854. Some instances of this field may be defaulted, in others it may be required.
  4855. maxLength: 253
  4856. minLength: 1
  4857. pattern: ^[-._a-zA-Z0-9]+$
  4858. type: string
  4859. name:
  4860. description: The name of the Secret resource being referred to.
  4861. maxLength: 253
  4862. minLength: 1
  4863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4864. type: string
  4865. namespace:
  4866. description: |-
  4867. The namespace of the Secret resource being referred to.
  4868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4869. maxLength: 63
  4870. minLength: 1
  4871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4872. type: string
  4873. type: object
  4874. required:
  4875. - identityId
  4876. type: object
  4877. gcpIamAuthCredentials:
  4878. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4879. properties:
  4880. identityId:
  4881. description: |-
  4882. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4883. In some instances, `key` is a required field.
  4884. properties:
  4885. key:
  4886. description: |-
  4887. A key in the referenced Secret.
  4888. Some instances of this field may be defaulted, in others it may be required.
  4889. maxLength: 253
  4890. minLength: 1
  4891. pattern: ^[-._a-zA-Z0-9]+$
  4892. type: string
  4893. name:
  4894. description: The name of the Secret resource being referred to.
  4895. maxLength: 253
  4896. minLength: 1
  4897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4898. type: string
  4899. namespace:
  4900. description: |-
  4901. The namespace of the Secret resource being referred to.
  4902. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4903. maxLength: 63
  4904. minLength: 1
  4905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4906. type: string
  4907. type: object
  4908. serviceAccountKeyFilePath:
  4909. description: |-
  4910. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4911. In some instances, `key` is a required field.
  4912. properties:
  4913. key:
  4914. description: |-
  4915. A key in the referenced Secret.
  4916. Some instances of this field may be defaulted, in others it may be required.
  4917. maxLength: 253
  4918. minLength: 1
  4919. pattern: ^[-._a-zA-Z0-9]+$
  4920. type: string
  4921. name:
  4922. description: The name of the Secret resource being referred to.
  4923. maxLength: 253
  4924. minLength: 1
  4925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4926. type: string
  4927. namespace:
  4928. description: |-
  4929. The namespace of the Secret resource being referred to.
  4930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4931. maxLength: 63
  4932. minLength: 1
  4933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4934. type: string
  4935. type: object
  4936. required:
  4937. - identityId
  4938. - serviceAccountKeyFilePath
  4939. type: object
  4940. gcpIdTokenAuthCredentials:
  4941. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4942. properties:
  4943. identityId:
  4944. description: |-
  4945. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4946. In some instances, `key` is a required field.
  4947. properties:
  4948. key:
  4949. description: |-
  4950. A key in the referenced Secret.
  4951. Some instances of this field may be defaulted, in others it may be required.
  4952. maxLength: 253
  4953. minLength: 1
  4954. pattern: ^[-._a-zA-Z0-9]+$
  4955. type: string
  4956. name:
  4957. description: The name of the Secret resource being referred to.
  4958. maxLength: 253
  4959. minLength: 1
  4960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4961. type: string
  4962. namespace:
  4963. description: |-
  4964. The namespace of the Secret resource being referred to.
  4965. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4966. maxLength: 63
  4967. minLength: 1
  4968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4969. type: string
  4970. type: object
  4971. required:
  4972. - identityId
  4973. type: object
  4974. jwtAuthCredentials:
  4975. description: JwtAuthCredentials represents the credentials for JWT authentication.
  4976. properties:
  4977. identityId:
  4978. description: |-
  4979. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4980. In some instances, `key` is a required field.
  4981. properties:
  4982. key:
  4983. description: |-
  4984. A key in the referenced Secret.
  4985. Some instances of this field may be defaulted, in others it may be required.
  4986. maxLength: 253
  4987. minLength: 1
  4988. pattern: ^[-._a-zA-Z0-9]+$
  4989. type: string
  4990. name:
  4991. description: The name of the Secret resource being referred to.
  4992. maxLength: 253
  4993. minLength: 1
  4994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4995. type: string
  4996. namespace:
  4997. description: |-
  4998. The namespace of the Secret resource being referred to.
  4999. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5000. maxLength: 63
  5001. minLength: 1
  5002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5003. type: string
  5004. type: object
  5005. jwt:
  5006. description: |-
  5007. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5008. In some instances, `key` is a required field.
  5009. properties:
  5010. key:
  5011. description: |-
  5012. A key in the referenced Secret.
  5013. Some instances of this field may be defaulted, in others it may be required.
  5014. maxLength: 253
  5015. minLength: 1
  5016. pattern: ^[-._a-zA-Z0-9]+$
  5017. type: string
  5018. name:
  5019. description: The name of the Secret resource being referred to.
  5020. maxLength: 253
  5021. minLength: 1
  5022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5023. type: string
  5024. namespace:
  5025. description: |-
  5026. The namespace of the Secret resource being referred to.
  5027. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5028. maxLength: 63
  5029. minLength: 1
  5030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5031. type: string
  5032. type: object
  5033. required:
  5034. - identityId
  5035. - jwt
  5036. type: object
  5037. kubernetesAuthCredentials:
  5038. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  5039. properties:
  5040. identityId:
  5041. description: |-
  5042. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5043. In some instances, `key` is a required field.
  5044. properties:
  5045. key:
  5046. description: |-
  5047. A key in the referenced Secret.
  5048. Some instances of this field may be defaulted, in others it may be required.
  5049. maxLength: 253
  5050. minLength: 1
  5051. pattern: ^[-._a-zA-Z0-9]+$
  5052. type: string
  5053. name:
  5054. description: The name of the Secret resource being referred to.
  5055. maxLength: 253
  5056. minLength: 1
  5057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5058. type: string
  5059. namespace:
  5060. description: |-
  5061. The namespace of the Secret resource being referred to.
  5062. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5063. maxLength: 63
  5064. minLength: 1
  5065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5066. type: string
  5067. type: object
  5068. serviceAccountTokenPath:
  5069. description: |-
  5070. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5071. In some instances, `key` is a required field.
  5072. properties:
  5073. key:
  5074. description: |-
  5075. A key in the referenced Secret.
  5076. Some instances of this field may be defaulted, in others it may be required.
  5077. maxLength: 253
  5078. minLength: 1
  5079. pattern: ^[-._a-zA-Z0-9]+$
  5080. type: string
  5081. name:
  5082. description: The name of the Secret resource being referred to.
  5083. maxLength: 253
  5084. minLength: 1
  5085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5086. type: string
  5087. namespace:
  5088. description: |-
  5089. The namespace of the Secret resource being referred to.
  5090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5091. maxLength: 63
  5092. minLength: 1
  5093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5094. type: string
  5095. type: object
  5096. required:
  5097. - identityId
  5098. type: object
  5099. ldapAuthCredentials:
  5100. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  5101. properties:
  5102. identityId:
  5103. description: |-
  5104. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5105. In some instances, `key` is a required field.
  5106. properties:
  5107. key:
  5108. description: |-
  5109. A key in the referenced Secret.
  5110. Some instances of this field may be defaulted, in others it may be required.
  5111. maxLength: 253
  5112. minLength: 1
  5113. pattern: ^[-._a-zA-Z0-9]+$
  5114. type: string
  5115. name:
  5116. description: The name of the Secret resource being referred to.
  5117. maxLength: 253
  5118. minLength: 1
  5119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5120. type: string
  5121. namespace:
  5122. description: |-
  5123. The namespace of the Secret resource being referred to.
  5124. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5125. maxLength: 63
  5126. minLength: 1
  5127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5128. type: string
  5129. type: object
  5130. ldapPassword:
  5131. description: |-
  5132. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5133. In some instances, `key` is a required field.
  5134. properties:
  5135. key:
  5136. description: |-
  5137. A key in the referenced Secret.
  5138. Some instances of this field may be defaulted, in others it may be required.
  5139. maxLength: 253
  5140. minLength: 1
  5141. pattern: ^[-._a-zA-Z0-9]+$
  5142. type: string
  5143. name:
  5144. description: The name of the Secret resource being referred to.
  5145. maxLength: 253
  5146. minLength: 1
  5147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5148. type: string
  5149. namespace:
  5150. description: |-
  5151. The namespace of the Secret resource being referred to.
  5152. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5153. maxLength: 63
  5154. minLength: 1
  5155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5156. type: string
  5157. type: object
  5158. ldapUsername:
  5159. description: |-
  5160. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5161. In some instances, `key` is a required field.
  5162. properties:
  5163. key:
  5164. description: |-
  5165. A key in the referenced Secret.
  5166. Some instances of this field may be defaulted, in others it may be required.
  5167. maxLength: 253
  5168. minLength: 1
  5169. pattern: ^[-._a-zA-Z0-9]+$
  5170. type: string
  5171. name:
  5172. description: The name of the Secret resource being referred to.
  5173. maxLength: 253
  5174. minLength: 1
  5175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5176. type: string
  5177. namespace:
  5178. description: |-
  5179. The namespace of the Secret resource being referred to.
  5180. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5181. maxLength: 63
  5182. minLength: 1
  5183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5184. type: string
  5185. type: object
  5186. required:
  5187. - identityId
  5188. - ldapPassword
  5189. - ldapUsername
  5190. type: object
  5191. ociAuthCredentials:
  5192. description: OciAuthCredentials represents the credentials for OCI authentication.
  5193. properties:
  5194. fingerprint:
  5195. description: |-
  5196. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5197. In some instances, `key` is a required field.
  5198. properties:
  5199. key:
  5200. description: |-
  5201. A key in the referenced Secret.
  5202. Some instances of this field may be defaulted, in others it may be required.
  5203. maxLength: 253
  5204. minLength: 1
  5205. pattern: ^[-._a-zA-Z0-9]+$
  5206. type: string
  5207. name:
  5208. description: The name of the Secret resource being referred to.
  5209. maxLength: 253
  5210. minLength: 1
  5211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5212. type: string
  5213. namespace:
  5214. description: |-
  5215. The namespace of the Secret resource being referred to.
  5216. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5217. maxLength: 63
  5218. minLength: 1
  5219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5220. type: string
  5221. type: object
  5222. identityId:
  5223. description: |-
  5224. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5225. In some instances, `key` is a required field.
  5226. properties:
  5227. key:
  5228. description: |-
  5229. A key in the referenced Secret.
  5230. Some instances of this field may be defaulted, in others it may be required.
  5231. maxLength: 253
  5232. minLength: 1
  5233. pattern: ^[-._a-zA-Z0-9]+$
  5234. type: string
  5235. name:
  5236. description: The name of the Secret resource being referred to.
  5237. maxLength: 253
  5238. minLength: 1
  5239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5240. type: string
  5241. namespace:
  5242. description: |-
  5243. The namespace of the Secret resource being referred to.
  5244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5245. maxLength: 63
  5246. minLength: 1
  5247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5248. type: string
  5249. type: object
  5250. privateKey:
  5251. description: |-
  5252. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5253. In some instances, `key` is a required field.
  5254. properties:
  5255. key:
  5256. description: |-
  5257. A key in the referenced Secret.
  5258. Some instances of this field may be defaulted, in others it may be required.
  5259. maxLength: 253
  5260. minLength: 1
  5261. pattern: ^[-._a-zA-Z0-9]+$
  5262. type: string
  5263. name:
  5264. description: The name of the Secret resource being referred to.
  5265. maxLength: 253
  5266. minLength: 1
  5267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5268. type: string
  5269. namespace:
  5270. description: |-
  5271. The namespace of the Secret resource being referred to.
  5272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5273. maxLength: 63
  5274. minLength: 1
  5275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5276. type: string
  5277. type: object
  5278. privateKeyPassphrase:
  5279. description: |-
  5280. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5281. In some instances, `key` is a required field.
  5282. properties:
  5283. key:
  5284. description: |-
  5285. A key in the referenced Secret.
  5286. Some instances of this field may be defaulted, in others it may be required.
  5287. maxLength: 253
  5288. minLength: 1
  5289. pattern: ^[-._a-zA-Z0-9]+$
  5290. type: string
  5291. name:
  5292. description: The name of the Secret resource being referred to.
  5293. maxLength: 253
  5294. minLength: 1
  5295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5296. type: string
  5297. namespace:
  5298. description: |-
  5299. The namespace of the Secret resource being referred to.
  5300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5301. maxLength: 63
  5302. minLength: 1
  5303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5304. type: string
  5305. type: object
  5306. region:
  5307. description: |-
  5308. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5309. In some instances, `key` is a required field.
  5310. properties:
  5311. key:
  5312. description: |-
  5313. A key in the referenced Secret.
  5314. Some instances of this field may be defaulted, in others it may be required.
  5315. maxLength: 253
  5316. minLength: 1
  5317. pattern: ^[-._a-zA-Z0-9]+$
  5318. type: string
  5319. name:
  5320. description: The name of the Secret resource being referred to.
  5321. maxLength: 253
  5322. minLength: 1
  5323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5324. type: string
  5325. namespace:
  5326. description: |-
  5327. The namespace of the Secret resource being referred to.
  5328. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5329. maxLength: 63
  5330. minLength: 1
  5331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5332. type: string
  5333. type: object
  5334. tenancyId:
  5335. description: |-
  5336. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5337. In some instances, `key` is a required field.
  5338. properties:
  5339. key:
  5340. description: |-
  5341. A key in the referenced Secret.
  5342. Some instances of this field may be defaulted, in others it may be required.
  5343. maxLength: 253
  5344. minLength: 1
  5345. pattern: ^[-._a-zA-Z0-9]+$
  5346. type: string
  5347. name:
  5348. description: The name of the Secret resource being referred to.
  5349. maxLength: 253
  5350. minLength: 1
  5351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5352. type: string
  5353. namespace:
  5354. description: |-
  5355. The namespace of the Secret resource being referred to.
  5356. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5357. maxLength: 63
  5358. minLength: 1
  5359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5360. type: string
  5361. type: object
  5362. userId:
  5363. description: |-
  5364. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5365. In some instances, `key` is a required field.
  5366. properties:
  5367. key:
  5368. description: |-
  5369. A key in the referenced Secret.
  5370. Some instances of this field may be defaulted, in others it may be required.
  5371. maxLength: 253
  5372. minLength: 1
  5373. pattern: ^[-._a-zA-Z0-9]+$
  5374. type: string
  5375. name:
  5376. description: The name of the Secret resource being referred to.
  5377. maxLength: 253
  5378. minLength: 1
  5379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5380. type: string
  5381. namespace:
  5382. description: |-
  5383. The namespace of the Secret resource being referred to.
  5384. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5385. maxLength: 63
  5386. minLength: 1
  5387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5388. type: string
  5389. type: object
  5390. required:
  5391. - fingerprint
  5392. - identityId
  5393. - privateKey
  5394. - region
  5395. - tenancyId
  5396. - userId
  5397. type: object
  5398. tokenAuthCredentials:
  5399. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5400. properties:
  5401. accessToken:
  5402. description: |-
  5403. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5404. In some instances, `key` is a required field.
  5405. properties:
  5406. key:
  5407. description: |-
  5408. A key in the referenced Secret.
  5409. Some instances of this field may be defaulted, in others it may be required.
  5410. maxLength: 253
  5411. minLength: 1
  5412. pattern: ^[-._a-zA-Z0-9]+$
  5413. type: string
  5414. name:
  5415. description: The name of the Secret resource being referred to.
  5416. maxLength: 253
  5417. minLength: 1
  5418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5419. type: string
  5420. namespace:
  5421. description: |-
  5422. The namespace of the Secret resource being referred to.
  5423. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5424. maxLength: 63
  5425. minLength: 1
  5426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5427. type: string
  5428. type: object
  5429. required:
  5430. - accessToken
  5431. type: object
  5432. universalAuthCredentials:
  5433. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5434. properties:
  5435. clientId:
  5436. description: |-
  5437. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5438. In some instances, `key` is a required field.
  5439. properties:
  5440. key:
  5441. description: |-
  5442. A key in the referenced Secret.
  5443. Some instances of this field may be defaulted, in others it may be required.
  5444. maxLength: 253
  5445. minLength: 1
  5446. pattern: ^[-._a-zA-Z0-9]+$
  5447. type: string
  5448. name:
  5449. description: The name of the Secret resource being referred to.
  5450. maxLength: 253
  5451. minLength: 1
  5452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5453. type: string
  5454. namespace:
  5455. description: |-
  5456. The namespace of the Secret resource being referred to.
  5457. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5458. maxLength: 63
  5459. minLength: 1
  5460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5461. type: string
  5462. type: object
  5463. clientSecret:
  5464. description: |-
  5465. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5466. In some instances, `key` is a required field.
  5467. properties:
  5468. key:
  5469. description: |-
  5470. A key in the referenced Secret.
  5471. Some instances of this field may be defaulted, in others it may be required.
  5472. maxLength: 253
  5473. minLength: 1
  5474. pattern: ^[-._a-zA-Z0-9]+$
  5475. type: string
  5476. name:
  5477. description: The name of the Secret resource being referred to.
  5478. maxLength: 253
  5479. minLength: 1
  5480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5481. type: string
  5482. namespace:
  5483. description: |-
  5484. The namespace of the Secret resource being referred to.
  5485. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5486. maxLength: 63
  5487. minLength: 1
  5488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5489. type: string
  5490. type: object
  5491. required:
  5492. - clientId
  5493. - clientSecret
  5494. type: object
  5495. type: object
  5496. caBundle:
  5497. description: |-
  5498. CABundle is a PEM-encoded CA certificate bundle used to validate
  5499. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5500. format: byte
  5501. type: string
  5502. caProvider:
  5503. description: |-
  5504. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5505. The certificate is used to validate the Infisical server's TLS certificate.
  5506. Mutually exclusive with CABundle.
  5507. properties:
  5508. key:
  5509. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5510. maxLength: 253
  5511. minLength: 1
  5512. pattern: ^[-._a-zA-Z0-9]+$
  5513. type: string
  5514. name:
  5515. description: The name of the object located at the provider type.
  5516. maxLength: 253
  5517. minLength: 1
  5518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5519. type: string
  5520. namespace:
  5521. description: |-
  5522. The namespace the Provider type is in.
  5523. Can only be defined when used in a ClusterSecretStore.
  5524. maxLength: 63
  5525. minLength: 1
  5526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5527. type: string
  5528. type:
  5529. description: The type of provider to use such as "Secret", or "ConfigMap".
  5530. enum:
  5531. - Secret
  5532. - ConfigMap
  5533. type: string
  5534. required:
  5535. - name
  5536. - type
  5537. type: object
  5538. hostAPI:
  5539. default: https://app.infisical.com/api
  5540. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5541. type: string
  5542. secretsScope:
  5543. description: SecretsScope defines the scope of the secrets within the workspace
  5544. properties:
  5545. environmentSlug:
  5546. description: EnvironmentSlug is the required slug identifier for the environment.
  5547. type: string
  5548. expandSecretReferences:
  5549. default: true
  5550. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5551. type: boolean
  5552. organizationSlug:
  5553. description: |-
  5554. OrganizationSlug is the optional slug that identifies the organization that will be used
  5555. during authentication. Useful for sub-organization setups
  5556. type: string
  5557. projectSlug:
  5558. description: ProjectSlug is the required slug identifier for the project.
  5559. type: string
  5560. recursive:
  5561. default: false
  5562. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5563. type: boolean
  5564. secretsPath:
  5565. default: /
  5566. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5567. type: string
  5568. required:
  5569. - environmentSlug
  5570. - projectSlug
  5571. type: object
  5572. required:
  5573. - auth
  5574. - secretsScope
  5575. type: object
  5576. keepersecurity:
  5577. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5578. properties:
  5579. authRef:
  5580. description: |-
  5581. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5582. In some instances, `key` is a required field.
  5583. properties:
  5584. key:
  5585. description: |-
  5586. A key in the referenced Secret.
  5587. Some instances of this field may be defaulted, in others it may be required.
  5588. maxLength: 253
  5589. minLength: 1
  5590. pattern: ^[-._a-zA-Z0-9]+$
  5591. type: string
  5592. name:
  5593. description: The name of the Secret resource being referred to.
  5594. maxLength: 253
  5595. minLength: 1
  5596. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5597. type: string
  5598. namespace:
  5599. description: |-
  5600. The namespace of the Secret resource being referred to.
  5601. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5602. maxLength: 63
  5603. minLength: 1
  5604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5605. type: string
  5606. type: object
  5607. folderID:
  5608. type: string
  5609. getByTitleFallback:
  5610. type: boolean
  5611. required:
  5612. - authRef
  5613. - folderID
  5614. type: object
  5615. kubernetes:
  5616. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5617. properties:
  5618. auth:
  5619. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5620. maxProperties: 1
  5621. minProperties: 1
  5622. properties:
  5623. cert:
  5624. description: has both clientCert and clientKey as secretKeySelector
  5625. properties:
  5626. clientCert:
  5627. description: |-
  5628. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5629. In some instances, `key` is a required field.
  5630. properties:
  5631. key:
  5632. description: |-
  5633. A key in the referenced Secret.
  5634. Some instances of this field may be defaulted, in others it may be required.
  5635. maxLength: 253
  5636. minLength: 1
  5637. pattern: ^[-._a-zA-Z0-9]+$
  5638. type: string
  5639. name:
  5640. description: The name of the Secret resource being referred to.
  5641. maxLength: 253
  5642. minLength: 1
  5643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5644. type: string
  5645. namespace:
  5646. description: |-
  5647. The namespace of the Secret resource being referred to.
  5648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5649. maxLength: 63
  5650. minLength: 1
  5651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5652. type: string
  5653. type: object
  5654. clientKey:
  5655. description: |-
  5656. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5657. In some instances, `key` is a required field.
  5658. properties:
  5659. key:
  5660. description: |-
  5661. A key in the referenced Secret.
  5662. Some instances of this field may be defaulted, in others it may be required.
  5663. maxLength: 253
  5664. minLength: 1
  5665. pattern: ^[-._a-zA-Z0-9]+$
  5666. type: string
  5667. name:
  5668. description: The name of the Secret resource being referred to.
  5669. maxLength: 253
  5670. minLength: 1
  5671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5672. type: string
  5673. namespace:
  5674. description: |-
  5675. The namespace of the Secret resource being referred to.
  5676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5677. maxLength: 63
  5678. minLength: 1
  5679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5680. type: string
  5681. type: object
  5682. type: object
  5683. serviceAccount:
  5684. description: points to a service account that should be used for authentication
  5685. properties:
  5686. audiences:
  5687. description: |-
  5688. Audience specifies the `aud` claim for the service account token
  5689. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5690. then this audiences will be appended to the list
  5691. items:
  5692. type: string
  5693. type: array
  5694. name:
  5695. description: The name of the ServiceAccount resource being referred to.
  5696. maxLength: 253
  5697. minLength: 1
  5698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5699. type: string
  5700. namespace:
  5701. description: |-
  5702. Namespace of the resource being referred to.
  5703. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5704. maxLength: 63
  5705. minLength: 1
  5706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5707. type: string
  5708. required:
  5709. - name
  5710. type: object
  5711. token:
  5712. description: use static token to authenticate with
  5713. properties:
  5714. bearerToken:
  5715. description: |-
  5716. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5717. In some instances, `key` is a required field.
  5718. properties:
  5719. key:
  5720. description: |-
  5721. A key in the referenced Secret.
  5722. Some instances of this field may be defaulted, in others it may be required.
  5723. maxLength: 253
  5724. minLength: 1
  5725. pattern: ^[-._a-zA-Z0-9]+$
  5726. type: string
  5727. name:
  5728. description: The name of the Secret resource being referred to.
  5729. maxLength: 253
  5730. minLength: 1
  5731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5732. type: string
  5733. namespace:
  5734. description: |-
  5735. The namespace of the Secret resource being referred to.
  5736. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5737. maxLength: 63
  5738. minLength: 1
  5739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5740. type: string
  5741. type: object
  5742. type: object
  5743. type: object
  5744. authRef:
  5745. description: A reference to a secret that contains the auth information.
  5746. properties:
  5747. key:
  5748. description: |-
  5749. A key in the referenced Secret.
  5750. Some instances of this field may be defaulted, in others it may be required.
  5751. maxLength: 253
  5752. minLength: 1
  5753. pattern: ^[-._a-zA-Z0-9]+$
  5754. type: string
  5755. name:
  5756. description: The name of the Secret resource being referred to.
  5757. maxLength: 253
  5758. minLength: 1
  5759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5760. type: string
  5761. namespace:
  5762. description: |-
  5763. The namespace of the Secret resource being referred to.
  5764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5765. maxLength: 63
  5766. minLength: 1
  5767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5768. type: string
  5769. type: object
  5770. remoteNamespace:
  5771. default: default
  5772. description: Remote namespace to fetch the secrets from
  5773. maxLength: 63
  5774. minLength: 1
  5775. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5776. type: string
  5777. server:
  5778. description: configures the Kubernetes server Address.
  5779. properties:
  5780. caBundle:
  5781. description: CABundle is a base64-encoded CA certificate
  5782. format: byte
  5783. type: string
  5784. caProvider:
  5785. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5786. properties:
  5787. key:
  5788. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5789. maxLength: 253
  5790. minLength: 1
  5791. pattern: ^[-._a-zA-Z0-9]+$
  5792. type: string
  5793. name:
  5794. description: The name of the object located at the provider type.
  5795. maxLength: 253
  5796. minLength: 1
  5797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5798. type: string
  5799. namespace:
  5800. description: |-
  5801. The namespace the Provider type is in.
  5802. Can only be defined when used in a ClusterSecretStore.
  5803. maxLength: 63
  5804. minLength: 1
  5805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5806. type: string
  5807. type:
  5808. description: The type of provider to use such as "Secret", or "ConfigMap".
  5809. enum:
  5810. - Secret
  5811. - ConfigMap
  5812. type: string
  5813. required:
  5814. - name
  5815. - type
  5816. type: object
  5817. url:
  5818. default: kubernetes.default
  5819. description: configures the Kubernetes server Address.
  5820. type: string
  5821. type: object
  5822. type: object
  5823. nebiusmysterybox:
  5824. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5825. properties:
  5826. apiDomain:
  5827. description: NebiusMysterybox API endpoint
  5828. type: string
  5829. auth:
  5830. description: Auth defines parameters to authenticate in MysteryBox
  5831. properties:
  5832. serviceAccountCredsSecretRef:
  5833. description: |-
  5834. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5835. document with service account credentials used to get an IAM token.
  5836. Expected JSON structure:
  5837. {
  5838. "subject-credentials": {
  5839. "alg": "RS256",
  5840. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5841. "kid": "<public-key-id>",
  5842. "iss": "<issuer-service-account-id>",
  5843. "sub": "<subject-service-account-id>"
  5844. }
  5845. }
  5846. properties:
  5847. key:
  5848. description: |-
  5849. A key in the referenced Secret.
  5850. Some instances of this field may be defaulted, in others it may be required.
  5851. maxLength: 253
  5852. minLength: 1
  5853. pattern: ^[-._a-zA-Z0-9]+$
  5854. type: string
  5855. name:
  5856. description: The name of the Secret resource being referred to.
  5857. maxLength: 253
  5858. minLength: 1
  5859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5860. type: string
  5861. namespace:
  5862. description: |-
  5863. The namespace of the Secret resource being referred to.
  5864. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5865. maxLength: 63
  5866. minLength: 1
  5867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5868. type: string
  5869. type: object
  5870. tokenSecretRef:
  5871. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5872. properties:
  5873. key:
  5874. description: |-
  5875. A key in the referenced Secret.
  5876. Some instances of this field may be defaulted, in others it may be required.
  5877. maxLength: 253
  5878. minLength: 1
  5879. pattern: ^[-._a-zA-Z0-9]+$
  5880. type: string
  5881. name:
  5882. description: The name of the Secret resource being referred to.
  5883. maxLength: 253
  5884. minLength: 1
  5885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5886. type: string
  5887. namespace:
  5888. description: |-
  5889. The namespace of the Secret resource being referred to.
  5890. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5891. maxLength: 63
  5892. minLength: 1
  5893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5894. type: string
  5895. type: object
  5896. type: object
  5897. x-kubernetes-validations:
  5898. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5899. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5900. caProvider:
  5901. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5902. properties:
  5903. certSecretRef:
  5904. description: |-
  5905. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5906. In some instances, `key` is a required field.
  5907. properties:
  5908. key:
  5909. description: |-
  5910. A key in the referenced Secret.
  5911. Some instances of this field may be defaulted, in others it may be required.
  5912. maxLength: 253
  5913. minLength: 1
  5914. pattern: ^[-._a-zA-Z0-9]+$
  5915. type: string
  5916. name:
  5917. description: The name of the Secret resource being referred to.
  5918. maxLength: 253
  5919. minLength: 1
  5920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5921. type: string
  5922. namespace:
  5923. description: |-
  5924. The namespace of the Secret resource being referred to.
  5925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5926. maxLength: 63
  5927. minLength: 1
  5928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5929. type: string
  5930. type: object
  5931. type: object
  5932. required:
  5933. - apiDomain
  5934. - auth
  5935. type: object
  5936. ngrok:
  5937. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5938. properties:
  5939. apiUrl:
  5940. default: https://api.ngrok.com
  5941. description: APIURL is the URL of the ngrok API.
  5942. type: string
  5943. auth:
  5944. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5945. maxProperties: 1
  5946. minProperties: 1
  5947. properties:
  5948. apiKey:
  5949. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5950. properties:
  5951. secretRef:
  5952. description: SecretRef is a reference to a secret containing the ngrok API key.
  5953. properties:
  5954. key:
  5955. description: |-
  5956. A key in the referenced Secret.
  5957. Some instances of this field may be defaulted, in others it may be required.
  5958. maxLength: 253
  5959. minLength: 1
  5960. pattern: ^[-._a-zA-Z0-9]+$
  5961. type: string
  5962. name:
  5963. description: The name of the Secret resource being referred to.
  5964. maxLength: 253
  5965. minLength: 1
  5966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5967. type: string
  5968. namespace:
  5969. description: |-
  5970. The namespace of the Secret resource being referred to.
  5971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5972. maxLength: 63
  5973. minLength: 1
  5974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5975. type: string
  5976. type: object
  5977. type: object
  5978. type: object
  5979. vault:
  5980. description: Vault configures the ngrok vault to sync secrets with.
  5981. properties:
  5982. name:
  5983. description: Name is the name of the ngrok vault to sync secrets with.
  5984. type: string
  5985. required:
  5986. - name
  5987. type: object
  5988. required:
  5989. - auth
  5990. - vault
  5991. type: object
  5992. onboardbase:
  5993. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  5994. properties:
  5995. apiHost:
  5996. default: https://public.onboardbase.com/api/v1/
  5997. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  5998. type: string
  5999. auth:
  6000. description: Auth configures how the Operator authenticates with the Onboardbase API
  6001. properties:
  6002. apiKeyRef:
  6003. description: |-
  6004. OnboardbaseAPIKey is the APIKey generated by an admin account.
  6005. It is used to recognize and authorize access to a project and environment within onboardbase
  6006. properties:
  6007. key:
  6008. description: |-
  6009. A key in the referenced Secret.
  6010. Some instances of this field may be defaulted, in others it may be required.
  6011. maxLength: 253
  6012. minLength: 1
  6013. pattern: ^[-._a-zA-Z0-9]+$
  6014. type: string
  6015. name:
  6016. description: The name of the Secret resource being referred to.
  6017. maxLength: 253
  6018. minLength: 1
  6019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6020. type: string
  6021. namespace:
  6022. description: |-
  6023. The namespace of the Secret resource being referred to.
  6024. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6025. maxLength: 63
  6026. minLength: 1
  6027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6028. type: string
  6029. type: object
  6030. passcodeRef:
  6031. description: OnboardbasePasscode is the passcode attached to the API Key
  6032. properties:
  6033. key:
  6034. description: |-
  6035. A key in the referenced Secret.
  6036. Some instances of this field may be defaulted, in others it may be required.
  6037. maxLength: 253
  6038. minLength: 1
  6039. pattern: ^[-._a-zA-Z0-9]+$
  6040. type: string
  6041. name:
  6042. description: The name of the Secret resource being referred to.
  6043. maxLength: 253
  6044. minLength: 1
  6045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6046. type: string
  6047. namespace:
  6048. description: |-
  6049. The namespace of the Secret resource being referred to.
  6050. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6051. maxLength: 63
  6052. minLength: 1
  6053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6054. type: string
  6055. type: object
  6056. required:
  6057. - apiKeyRef
  6058. - passcodeRef
  6059. type: object
  6060. environment:
  6061. default: development
  6062. description: Environment is the name of an environmnent within a project to pull the secrets from
  6063. type: string
  6064. project:
  6065. default: development
  6066. description: Project is an onboardbase project that the secrets should be pulled from
  6067. type: string
  6068. required:
  6069. - apiHost
  6070. - auth
  6071. - environment
  6072. - project
  6073. type: object
  6074. onepassword:
  6075. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6076. properties:
  6077. auth:
  6078. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6079. properties:
  6080. secretRef:
  6081. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6082. properties:
  6083. connectTokenSecretRef:
  6084. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6085. properties:
  6086. key:
  6087. description: |-
  6088. A key in the referenced Secret.
  6089. Some instances of this field may be defaulted, in others it may be required.
  6090. maxLength: 253
  6091. minLength: 1
  6092. pattern: ^[-._a-zA-Z0-9]+$
  6093. type: string
  6094. name:
  6095. description: The name of the Secret resource being referred to.
  6096. maxLength: 253
  6097. minLength: 1
  6098. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6099. type: string
  6100. namespace:
  6101. description: |-
  6102. The namespace of the Secret resource being referred to.
  6103. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6104. maxLength: 63
  6105. minLength: 1
  6106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6107. type: string
  6108. type: object
  6109. required:
  6110. - connectTokenSecretRef
  6111. type: object
  6112. required:
  6113. - secretRef
  6114. type: object
  6115. connectHost:
  6116. description: ConnectHost defines the OnePassword Connect Server to connect to
  6117. type: string
  6118. vaults:
  6119. additionalProperties:
  6120. type: integer
  6121. description: Vaults defines which OnePassword vaults to search in which order
  6122. type: object
  6123. required:
  6124. - auth
  6125. - connectHost
  6126. - vaults
  6127. type: object
  6128. onepasswordSDK:
  6129. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  6130. properties:
  6131. auth:
  6132. description: Auth defines the information necessary to authenticate against OnePassword API.
  6133. properties:
  6134. serviceAccountSecretRef:
  6135. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  6136. properties:
  6137. key:
  6138. description: |-
  6139. A key in the referenced Secret.
  6140. Some instances of this field may be defaulted, in others it may be required.
  6141. maxLength: 253
  6142. minLength: 1
  6143. pattern: ^[-._a-zA-Z0-9]+$
  6144. type: string
  6145. name:
  6146. description: The name of the Secret resource being referred to.
  6147. maxLength: 253
  6148. minLength: 1
  6149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6150. type: string
  6151. namespace:
  6152. description: |-
  6153. The namespace of the Secret resource being referred to.
  6154. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6155. maxLength: 63
  6156. minLength: 1
  6157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6158. type: string
  6159. type: object
  6160. required:
  6161. - serviceAccountSecretRef
  6162. type: object
  6163. cache:
  6164. description: |-
  6165. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  6166. When enabled, secrets are cached with the specified TTL.
  6167. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  6168. If omitted, caching is disabled (default).
  6169. cache: {} is a valid option to set.
  6170. properties:
  6171. maxSize:
  6172. default: 100
  6173. description: |-
  6174. MaxSize is the maximum number of secrets to cache.
  6175. When the cache is full, least-recently-used entries are evicted.
  6176. minimum: 1
  6177. type: integer
  6178. ttl:
  6179. default: 5m
  6180. description: |-
  6181. TTL is the time-to-live for cached secrets.
  6182. Format: duration string (e.g., "5m", "1h", "30s")
  6183. type: string
  6184. type: object
  6185. integrationInfo:
  6186. description: |-
  6187. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  6188. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  6189. properties:
  6190. name:
  6191. default: 1Password SDK
  6192. description: Name defaults to "1Password SDK".
  6193. type: string
  6194. version:
  6195. default: v1.0.0
  6196. description: Version defaults to "v1.0.0".
  6197. type: string
  6198. type: object
  6199. vault:
  6200. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6201. type: string
  6202. required:
  6203. - auth
  6204. - vault
  6205. type: object
  6206. openBao:
  6207. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6208. properties:
  6209. auth:
  6210. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6211. properties:
  6212. appRole:
  6213. description: |-
  6214. AppRole authenticates with OpenBao using the [App Role auth mechanism],
  6215. with the role and secret stored in a Kubernetes Secret resource.
  6216. [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
  6217. properties:
  6218. path:
  6219. default: approle
  6220. description: |-
  6221. Path where the App Role authentication backend is mounted
  6222. in OpenBao, e.g: "approle"
  6223. type: string
  6224. roleId:
  6225. description: |-
  6226. RoleID configured in the App Role authentication backend when setting
  6227. up the authentication backend in OpenBao.
  6228. minLength: 1
  6229. type: string
  6230. roleRef:
  6231. description: |-
  6232. Reference to a key in a Secret that contains the App Role ID used
  6233. to authenticate with OpenBao.
  6234. The `key` field must be specified and denotes which entry within the Secret
  6235. resource is used as the app role id.
  6236. properties:
  6237. key:
  6238. description: |-
  6239. A key in the referenced Secret.
  6240. Some instances of this field may be defaulted, in others it may be required.
  6241. maxLength: 253
  6242. minLength: 1
  6243. pattern: ^[-._a-zA-Z0-9]+$
  6244. type: string
  6245. name:
  6246. description: The name of the Secret resource being referred to.
  6247. maxLength: 253
  6248. minLength: 1
  6249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6250. type: string
  6251. namespace:
  6252. description: |-
  6253. The namespace of the Secret resource being referred to.
  6254. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6255. maxLength: 63
  6256. minLength: 1
  6257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6258. type: string
  6259. type: object
  6260. secretRef:
  6261. description: |-
  6262. Reference to a key in a Secret that contains the App Role secret used
  6263. to authenticate with OpenBao.
  6264. The `key` field must be specified and denotes which entry within the Secret
  6265. resource is used as the app role secret.
  6266. properties:
  6267. key:
  6268. description: |-
  6269. A key in the referenced Secret.
  6270. Some instances of this field may be defaulted, in others it may be required.
  6271. maxLength: 253
  6272. minLength: 1
  6273. pattern: ^[-._a-zA-Z0-9]+$
  6274. type: string
  6275. name:
  6276. description: The name of the Secret resource being referred to.
  6277. maxLength: 253
  6278. minLength: 1
  6279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6280. type: string
  6281. namespace:
  6282. description: |-
  6283. The namespace of the Secret resource being referred to.
  6284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6285. maxLength: 63
  6286. minLength: 1
  6287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6288. type: string
  6289. type: object
  6290. required:
  6291. - path
  6292. - secretRef
  6293. type: object
  6294. x-kubernetes-validations:
  6295. - message: exactly one of the fields in [roleId roleRef] must be set
  6296. rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1'
  6297. namespace:
  6298. description: |-
  6299. Name of the [OpenBao Namespace] to authenticate to. This can be different
  6300. than the namespace your secret is in. Namespaces is a set of features
  6301. within OpenBao that allows OpenBao environments to support secure
  6302. multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
  6303. if set, or empty otherwise
  6304. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  6305. type: string
  6306. tokenSecretRef:
  6307. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6308. properties:
  6309. key:
  6310. description: |-
  6311. A key in the referenced Secret.
  6312. Some instances of this field may be defaulted, in others it may be required.
  6313. maxLength: 253
  6314. minLength: 1
  6315. pattern: ^[-._a-zA-Z0-9]+$
  6316. type: string
  6317. name:
  6318. description: The name of the Secret resource being referred to.
  6319. maxLength: 253
  6320. minLength: 1
  6321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6322. type: string
  6323. namespace:
  6324. description: |-
  6325. The namespace of the Secret resource being referred to.
  6326. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6327. maxLength: 63
  6328. minLength: 1
  6329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6330. type: string
  6331. type: object
  6332. userPass:
  6333. description: UserPass authenticates with OpenBao by passing a username/password pair
  6334. properties:
  6335. path:
  6336. default: userpass
  6337. description: |-
  6338. Path where the UserPassword authentication backend is mounted
  6339. in OpenBao, e.g: "userpass"
  6340. type: string
  6341. secretRef:
  6342. description: |-
  6343. SecretRef to a key in a Secret resource containing password for the user
  6344. used to authenticate with OpenBao using the [UserPass authentication
  6345. method]
  6346. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6347. properties:
  6348. key:
  6349. description: |-
  6350. A key in the referenced Secret.
  6351. Some instances of this field may be defaulted, in others it may be required.
  6352. maxLength: 253
  6353. minLength: 1
  6354. pattern: ^[-._a-zA-Z0-9]+$
  6355. type: string
  6356. name:
  6357. description: The name of the Secret resource being referred to.
  6358. maxLength: 253
  6359. minLength: 1
  6360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6361. type: string
  6362. namespace:
  6363. description: |-
  6364. The namespace of the Secret resource being referred to.
  6365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6366. maxLength: 63
  6367. minLength: 1
  6368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6369. type: string
  6370. type: object
  6371. username:
  6372. description: |-
  6373. Username is a username used to authenticate using the [UserPass
  6374. authentication method]
  6375. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6376. type: string
  6377. required:
  6378. - path
  6379. - username
  6380. type: object
  6381. type: object
  6382. x-kubernetes-validations:
  6383. - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set
  6384. rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1'
  6385. caBundle:
  6386. description: |-
  6387. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  6388. this and `caProvider` are not set the system root certificates are used
  6389. to validate the TLS connection.
  6390. format: byte
  6391. type: string
  6392. caProvider:
  6393. description: |-
  6394. The provider for the CA bundle to use to validate OpenBao server
  6395. certificate. If this and `caBundle` are not set the system root
  6396. certificates are used to validate the TLS connection.
  6397. properties:
  6398. key:
  6399. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6400. maxLength: 253
  6401. minLength: 1
  6402. pattern: ^[-._a-zA-Z0-9]+$
  6403. type: string
  6404. name:
  6405. description: The name of the object located at the provider type.
  6406. maxLength: 253
  6407. minLength: 1
  6408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6409. type: string
  6410. namespace:
  6411. description: |-
  6412. The namespace the Provider type is in.
  6413. Can only be defined when used in a ClusterSecretStore.
  6414. maxLength: 63
  6415. minLength: 1
  6416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6417. type: string
  6418. type:
  6419. description: The type of provider to use such as "Secret", or "ConfigMap".
  6420. enum:
  6421. - Secret
  6422. - ConfigMap
  6423. type: string
  6424. required:
  6425. - name
  6426. - type
  6427. type: object
  6428. namespace:
  6429. description: |-
  6430. Name of the [OpenBao Namespace]. Namespaces is a set of features within
  6431. OpenBao that allows OpenBao environments to support secure multi-tenancy.
  6432. e.g: "ns1".
  6433. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  6434. type: string
  6435. path:
  6436. description: |-
  6437. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6438. "secret". The v2 KV secret engine version specific "/data" path suffix
  6439. for fetching secrets from OpenBao is optional and will be appended
  6440. if not present in specified path.
  6441. type: string
  6442. server:
  6443. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6444. type: string
  6445. version:
  6446. default: v2
  6447. description: |-
  6448. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6449. "v2". Version defaults to "v2".
  6450. enum:
  6451. - v1
  6452. - v2
  6453. type: string
  6454. required:
  6455. - server
  6456. type: object
  6457. x-kubernetes-validations:
  6458. - message: at most one of the fields in [caBundle caProvider] may be set
  6459. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  6460. oracle:
  6461. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6462. properties:
  6463. auth:
  6464. description: |-
  6465. Auth configures how secret-manager authenticates with the Oracle Vault.
  6466. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6467. properties:
  6468. secretRef:
  6469. description: SecretRef to pass through sensitive information.
  6470. properties:
  6471. fingerprint:
  6472. description: Fingerprint is the fingerprint of the API private key.
  6473. properties:
  6474. key:
  6475. description: |-
  6476. A key in the referenced Secret.
  6477. Some instances of this field may be defaulted, in others it may be required.
  6478. maxLength: 253
  6479. minLength: 1
  6480. pattern: ^[-._a-zA-Z0-9]+$
  6481. type: string
  6482. name:
  6483. description: The name of the Secret resource being referred to.
  6484. maxLength: 253
  6485. minLength: 1
  6486. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6487. type: string
  6488. namespace:
  6489. description: |-
  6490. The namespace of the Secret resource being referred to.
  6491. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6492. maxLength: 63
  6493. minLength: 1
  6494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6495. type: string
  6496. type: object
  6497. privatekey:
  6498. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6499. properties:
  6500. key:
  6501. description: |-
  6502. A key in the referenced Secret.
  6503. Some instances of this field may be defaulted, in others it may be required.
  6504. maxLength: 253
  6505. minLength: 1
  6506. pattern: ^[-._a-zA-Z0-9]+$
  6507. type: string
  6508. name:
  6509. description: The name of the Secret resource being referred to.
  6510. maxLength: 253
  6511. minLength: 1
  6512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6513. type: string
  6514. namespace:
  6515. description: |-
  6516. The namespace of the Secret resource being referred to.
  6517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6518. maxLength: 63
  6519. minLength: 1
  6520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6521. type: string
  6522. type: object
  6523. required:
  6524. - fingerprint
  6525. - privatekey
  6526. type: object
  6527. tenancy:
  6528. description: Tenancy is the tenancy OCID where user is located.
  6529. type: string
  6530. user:
  6531. description: User is an access OCID specific to the account.
  6532. type: string
  6533. required:
  6534. - secretRef
  6535. - tenancy
  6536. - user
  6537. type: object
  6538. compartment:
  6539. description: |-
  6540. Compartment is the vault compartment OCID.
  6541. Required for PushSecret
  6542. type: string
  6543. encryptionKey:
  6544. description: |-
  6545. EncryptionKey is the OCID of the encryption key within the vault.
  6546. Required for PushSecret
  6547. type: string
  6548. principalType:
  6549. description: |-
  6550. The type of principal to use for authentication. If left blank, the Auth struct will
  6551. determine the principal type. This optional field must be specified if using
  6552. workload identity.
  6553. enum:
  6554. - ""
  6555. - UserPrincipal
  6556. - InstancePrincipal
  6557. - Workload
  6558. type: string
  6559. region:
  6560. description: Region is the region where vault is located.
  6561. type: string
  6562. serviceAccountRef:
  6563. description: |-
  6564. ServiceAccountRef specified the service account
  6565. that should be used when authenticating with WorkloadIdentity.
  6566. properties:
  6567. audiences:
  6568. description: |-
  6569. Audience specifies the `aud` claim for the service account token
  6570. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6571. then this audiences will be appended to the list
  6572. items:
  6573. type: string
  6574. type: array
  6575. name:
  6576. description: The name of the ServiceAccount resource being referred to.
  6577. maxLength: 253
  6578. minLength: 1
  6579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6580. type: string
  6581. namespace:
  6582. description: |-
  6583. Namespace of the resource being referred to.
  6584. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6585. maxLength: 63
  6586. minLength: 1
  6587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6588. type: string
  6589. required:
  6590. - name
  6591. type: object
  6592. vault:
  6593. description: Vault is the vault's OCID of the specific vault where secret is located.
  6594. type: string
  6595. required:
  6596. - region
  6597. - vault
  6598. type: object
  6599. ovh:
  6600. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6601. properties:
  6602. auth:
  6603. description: Authentication method (mtls or token).
  6604. properties:
  6605. mtls:
  6606. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6607. properties:
  6608. caBundle:
  6609. format: byte
  6610. type: string
  6611. caProvider:
  6612. description: |-
  6613. CAProvider provides a custom certificate authority for accessing the provider's store.
  6614. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6615. properties:
  6616. key:
  6617. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6618. maxLength: 253
  6619. minLength: 1
  6620. pattern: ^[-._a-zA-Z0-9]+$
  6621. type: string
  6622. name:
  6623. description: The name of the object located at the provider type.
  6624. maxLength: 253
  6625. minLength: 1
  6626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6627. type: string
  6628. namespace:
  6629. description: |-
  6630. The namespace the Provider type is in.
  6631. Can only be defined when used in a ClusterSecretStore.
  6632. maxLength: 63
  6633. minLength: 1
  6634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6635. type: string
  6636. type:
  6637. description: The type of provider to use such as "Secret", or "ConfigMap".
  6638. enum:
  6639. - Secret
  6640. - ConfigMap
  6641. type: string
  6642. required:
  6643. - name
  6644. - type
  6645. type: object
  6646. certSecretRef:
  6647. description: |-
  6648. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6649. In some instances, `key` is a required field.
  6650. properties:
  6651. key:
  6652. description: |-
  6653. A key in the referenced Secret.
  6654. Some instances of this field may be defaulted, in others it may be required.
  6655. maxLength: 253
  6656. minLength: 1
  6657. pattern: ^[-._a-zA-Z0-9]+$
  6658. type: string
  6659. name:
  6660. description: The name of the Secret resource being referred to.
  6661. maxLength: 253
  6662. minLength: 1
  6663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6664. type: string
  6665. namespace:
  6666. description: |-
  6667. The namespace of the Secret resource being referred to.
  6668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6669. maxLength: 63
  6670. minLength: 1
  6671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6672. type: string
  6673. type: object
  6674. keySecretRef:
  6675. description: |-
  6676. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6677. In some instances, `key` is a required field.
  6678. properties:
  6679. key:
  6680. description: |-
  6681. A key in the referenced Secret.
  6682. Some instances of this field may be defaulted, in others it may be required.
  6683. maxLength: 253
  6684. minLength: 1
  6685. pattern: ^[-._a-zA-Z0-9]+$
  6686. type: string
  6687. name:
  6688. description: The name of the Secret resource being referred to.
  6689. maxLength: 253
  6690. minLength: 1
  6691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6692. type: string
  6693. namespace:
  6694. description: |-
  6695. The namespace of the Secret resource being referred to.
  6696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6697. maxLength: 63
  6698. minLength: 1
  6699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6700. type: string
  6701. type: object
  6702. required:
  6703. - certSecretRef
  6704. - keySecretRef
  6705. type: object
  6706. token:
  6707. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6708. properties:
  6709. tokenSecretRef:
  6710. description: |-
  6711. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6712. In some instances, `key` is a required field.
  6713. properties:
  6714. key:
  6715. description: |-
  6716. A key in the referenced Secret.
  6717. Some instances of this field may be defaulted, in others it may be required.
  6718. maxLength: 253
  6719. minLength: 1
  6720. pattern: ^[-._a-zA-Z0-9]+$
  6721. type: string
  6722. name:
  6723. description: The name of the Secret resource being referred to.
  6724. maxLength: 253
  6725. minLength: 1
  6726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6727. type: string
  6728. namespace:
  6729. description: |-
  6730. The namespace of the Secret resource being referred to.
  6731. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6732. maxLength: 63
  6733. minLength: 1
  6734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6735. type: string
  6736. type: object
  6737. required:
  6738. - tokenSecretRef
  6739. type: object
  6740. type: object
  6741. casRequired:
  6742. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6743. type: boolean
  6744. okmsTimeout:
  6745. default: 30
  6746. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6747. format: int32
  6748. minimum: 1
  6749. type: integer
  6750. okmsid:
  6751. description: specifies the OKMS ID.
  6752. type: string
  6753. server:
  6754. description: specifies the OKMS server endpoint.
  6755. type: string
  6756. required:
  6757. - auth
  6758. - okmsid
  6759. - server
  6760. type: object
  6761. passbolt:
  6762. description: |-
  6763. PassboltProvider provides access to Passbolt secrets manager.
  6764. See: https://www.passbolt.com.
  6765. properties:
  6766. auth:
  6767. description: Auth defines the information necessary to authenticate against Passbolt Server
  6768. properties:
  6769. passwordSecretRef:
  6770. description: |-
  6771. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6772. In some instances, `key` is a required field.
  6773. properties:
  6774. key:
  6775. description: |-
  6776. A key in the referenced Secret.
  6777. Some instances of this field may be defaulted, in others it may be required.
  6778. maxLength: 253
  6779. minLength: 1
  6780. pattern: ^[-._a-zA-Z0-9]+$
  6781. type: string
  6782. name:
  6783. description: The name of the Secret resource being referred to.
  6784. maxLength: 253
  6785. minLength: 1
  6786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6787. type: string
  6788. namespace:
  6789. description: |-
  6790. The namespace of the Secret resource being referred to.
  6791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6792. maxLength: 63
  6793. minLength: 1
  6794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6795. type: string
  6796. type: object
  6797. privateKeySecretRef:
  6798. description: |-
  6799. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6800. In some instances, `key` is a required field.
  6801. properties:
  6802. key:
  6803. description: |-
  6804. A key in the referenced Secret.
  6805. Some instances of this field may be defaulted, in others it may be required.
  6806. maxLength: 253
  6807. minLength: 1
  6808. pattern: ^[-._a-zA-Z0-9]+$
  6809. type: string
  6810. name:
  6811. description: The name of the Secret resource being referred to.
  6812. maxLength: 253
  6813. minLength: 1
  6814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6815. type: string
  6816. namespace:
  6817. description: |-
  6818. The namespace of the Secret resource being referred to.
  6819. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6820. maxLength: 63
  6821. minLength: 1
  6822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6823. type: string
  6824. type: object
  6825. required:
  6826. - passwordSecretRef
  6827. - privateKeySecretRef
  6828. type: object
  6829. caBundle:
  6830. description: |-
  6831. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6832. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6833. are used to validate the TLS connection.
  6834. format: byte
  6835. type: string
  6836. caProvider:
  6837. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6838. properties:
  6839. key:
  6840. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6841. maxLength: 253
  6842. minLength: 1
  6843. pattern: ^[-._a-zA-Z0-9]+$
  6844. type: string
  6845. name:
  6846. description: The name of the object located at the provider type.
  6847. maxLength: 253
  6848. minLength: 1
  6849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6850. type: string
  6851. namespace:
  6852. description: |-
  6853. The namespace the Provider type is in.
  6854. Can only be defined when used in a ClusterSecretStore.
  6855. maxLength: 63
  6856. minLength: 1
  6857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6858. type: string
  6859. type:
  6860. description: The type of provider to use such as "Secret", or "ConfigMap".
  6861. enum:
  6862. - Secret
  6863. - ConfigMap
  6864. type: string
  6865. required:
  6866. - name
  6867. - type
  6868. type: object
  6869. host:
  6870. description: Host defines the Passbolt Server to connect to
  6871. type: string
  6872. required:
  6873. - auth
  6874. - host
  6875. type: object
  6876. passworddepot:
  6877. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6878. properties:
  6879. auth:
  6880. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6881. properties:
  6882. secretRef:
  6883. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6884. properties:
  6885. credentials:
  6886. description: Username / Password is used for authentication.
  6887. properties:
  6888. key:
  6889. description: |-
  6890. A key in the referenced Secret.
  6891. Some instances of this field may be defaulted, in others it may be required.
  6892. maxLength: 253
  6893. minLength: 1
  6894. pattern: ^[-._a-zA-Z0-9]+$
  6895. type: string
  6896. name:
  6897. description: The name of the Secret resource being referred to.
  6898. maxLength: 253
  6899. minLength: 1
  6900. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6901. type: string
  6902. namespace:
  6903. description: |-
  6904. The namespace of the Secret resource being referred to.
  6905. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6906. maxLength: 63
  6907. minLength: 1
  6908. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6909. type: string
  6910. type: object
  6911. type: object
  6912. required:
  6913. - secretRef
  6914. type: object
  6915. database:
  6916. description: Database to use as source
  6917. type: string
  6918. host:
  6919. description: URL configures the Password Depot instance URL.
  6920. type: string
  6921. required:
  6922. - auth
  6923. - database
  6924. - host
  6925. type: object
  6926. previder:
  6927. description: Previder configures this store to sync secrets using the Previder provider
  6928. properties:
  6929. auth:
  6930. description: PreviderAuth contains a secretRef for credentials.
  6931. properties:
  6932. secretRef:
  6933. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6934. properties:
  6935. accessToken:
  6936. description: The AccessToken is used for authentication
  6937. properties:
  6938. key:
  6939. description: |-
  6940. A key in the referenced Secret.
  6941. Some instances of this field may be defaulted, in others it may be required.
  6942. maxLength: 253
  6943. minLength: 1
  6944. pattern: ^[-._a-zA-Z0-9]+$
  6945. type: string
  6946. name:
  6947. description: The name of the Secret resource being referred to.
  6948. maxLength: 253
  6949. minLength: 1
  6950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6951. type: string
  6952. namespace:
  6953. description: |-
  6954. The namespace of the Secret resource being referred to.
  6955. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6956. maxLength: 63
  6957. minLength: 1
  6958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6959. type: string
  6960. type: object
  6961. required:
  6962. - accessToken
  6963. type: object
  6964. type: object
  6965. baseUri:
  6966. type: string
  6967. required:
  6968. - auth
  6969. type: object
  6970. pulumi:
  6971. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6972. properties:
  6973. accessToken:
  6974. description: |-
  6975. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6976. Deprecated: Use auth.accessToken instead.
  6977. properties:
  6978. secretRef:
  6979. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6980. properties:
  6981. key:
  6982. description: |-
  6983. A key in the referenced Secret.
  6984. Some instances of this field may be defaulted, in others it may be required.
  6985. maxLength: 253
  6986. minLength: 1
  6987. pattern: ^[-._a-zA-Z0-9]+$
  6988. type: string
  6989. name:
  6990. description: The name of the Secret resource being referred to.
  6991. maxLength: 253
  6992. minLength: 1
  6993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6994. type: string
  6995. namespace:
  6996. description: |-
  6997. The namespace of the Secret resource being referred to.
  6998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6999. maxLength: 63
  7000. minLength: 1
  7001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7002. type: string
  7003. type: object
  7004. type: object
  7005. apiUrl:
  7006. default: https://api.pulumi.com/api/esc
  7007. description: APIURL is the URL of the Pulumi API.
  7008. type: string
  7009. auth:
  7010. description: |-
  7011. Auth configures how the Operator authenticates with the Pulumi API.
  7012. Either auth or the deprecated accessToken field must be specified.
  7013. properties:
  7014. accessToken:
  7015. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  7016. properties:
  7017. secretRef:
  7018. description: SecretRef is a reference to a secret containing the Pulumi API token.
  7019. properties:
  7020. key:
  7021. description: |-
  7022. A key in the referenced Secret.
  7023. Some instances of this field may be defaulted, in others it may be required.
  7024. maxLength: 253
  7025. minLength: 1
  7026. pattern: ^[-._a-zA-Z0-9]+$
  7027. type: string
  7028. name:
  7029. description: The name of the Secret resource being referred to.
  7030. maxLength: 253
  7031. minLength: 1
  7032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7033. type: string
  7034. namespace:
  7035. description: |-
  7036. The namespace of the Secret resource being referred to.
  7037. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7038. maxLength: 63
  7039. minLength: 1
  7040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7041. type: string
  7042. type: object
  7043. type: object
  7044. oidcConfig:
  7045. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  7046. properties:
  7047. expirationSeconds:
  7048. default: 600
  7049. description: |-
  7050. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  7051. Defaults to 10 minutes.
  7052. format: int64
  7053. minimum: 600
  7054. type: integer
  7055. organization:
  7056. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  7057. type: string
  7058. serviceAccountRef:
  7059. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  7060. properties:
  7061. audiences:
  7062. description: |-
  7063. Audience specifies the `aud` claim for the service account token
  7064. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7065. then this audiences will be appended to the list
  7066. items:
  7067. type: string
  7068. type: array
  7069. name:
  7070. description: The name of the ServiceAccount resource being referred to.
  7071. maxLength: 253
  7072. minLength: 1
  7073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7074. type: string
  7075. namespace:
  7076. description: |-
  7077. Namespace of the resource being referred to.
  7078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7079. maxLength: 63
  7080. minLength: 1
  7081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7082. type: string
  7083. required:
  7084. - name
  7085. type: object
  7086. required:
  7087. - organization
  7088. - serviceAccountRef
  7089. type: object
  7090. type: object
  7091. x-kubernetes-validations:
  7092. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  7093. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  7094. environment:
  7095. description: |-
  7096. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  7097. dynamically retrieved values from supported providers including all major clouds,
  7098. and other Pulumi ESC environments.
  7099. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  7100. type: string
  7101. organization:
  7102. description: |-
  7103. Organization are a space to collaborate on shared projects and stacks.
  7104. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  7105. type: string
  7106. project:
  7107. description: Project is the name of the Pulumi ESC project the environment belongs to.
  7108. type: string
  7109. required:
  7110. - environment
  7111. - organization
  7112. - project
  7113. type: object
  7114. x-kubernetes-validations:
  7115. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  7116. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  7117. scaleway:
  7118. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  7119. properties:
  7120. accessKey:
  7121. description: AccessKey is the non-secret part of the api key.
  7122. properties:
  7123. secretRef:
  7124. description: SecretRef references a key in a secret that will be used as value.
  7125. properties:
  7126. key:
  7127. description: |-
  7128. A key in the referenced Secret.
  7129. Some instances of this field may be defaulted, in others it may be required.
  7130. maxLength: 253
  7131. minLength: 1
  7132. pattern: ^[-._a-zA-Z0-9]+$
  7133. type: string
  7134. name:
  7135. description: The name of the Secret resource being referred to.
  7136. maxLength: 253
  7137. minLength: 1
  7138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7139. type: string
  7140. namespace:
  7141. description: |-
  7142. The namespace of the Secret resource being referred to.
  7143. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7144. maxLength: 63
  7145. minLength: 1
  7146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7147. type: string
  7148. type: object
  7149. value:
  7150. description: Value can be specified directly to set a value without using a secret.
  7151. type: string
  7152. type: object
  7153. apiUrl:
  7154. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  7155. type: string
  7156. projectId:
  7157. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  7158. type: string
  7159. region:
  7160. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  7161. type: string
  7162. secretKey:
  7163. description: SecretKey is the non-secret part of the api key.
  7164. properties:
  7165. secretRef:
  7166. description: SecretRef references a key in a secret that will be used as value.
  7167. properties:
  7168. key:
  7169. description: |-
  7170. A key in the referenced Secret.
  7171. Some instances of this field may be defaulted, in others it may be required.
  7172. maxLength: 253
  7173. minLength: 1
  7174. pattern: ^[-._a-zA-Z0-9]+$
  7175. type: string
  7176. name:
  7177. description: The name of the Secret resource being referred to.
  7178. maxLength: 253
  7179. minLength: 1
  7180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7181. type: string
  7182. namespace:
  7183. description: |-
  7184. The namespace of the Secret resource being referred to.
  7185. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7186. maxLength: 63
  7187. minLength: 1
  7188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7189. type: string
  7190. type: object
  7191. value:
  7192. description: Value can be specified directly to set a value without using a secret.
  7193. type: string
  7194. type: object
  7195. required:
  7196. - accessKey
  7197. - projectId
  7198. - region
  7199. - secretKey
  7200. type: object
  7201. secretserver:
  7202. description: |-
  7203. SecretServer configures this store to sync secrets using SecretServer provider
  7204. https://docs.delinea.com/online-help/secret-server/start.htm
  7205. properties:
  7206. caBundle:
  7207. description: |-
  7208. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  7209. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  7210. are used to validate the TLS connection.
  7211. format: byte
  7212. type: string
  7213. caProvider:
  7214. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  7215. properties:
  7216. key:
  7217. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7218. maxLength: 253
  7219. minLength: 1
  7220. pattern: ^[-._a-zA-Z0-9]+$
  7221. type: string
  7222. name:
  7223. description: The name of the object located at the provider type.
  7224. maxLength: 253
  7225. minLength: 1
  7226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7227. type: string
  7228. namespace:
  7229. description: |-
  7230. The namespace the Provider type is in.
  7231. Can only be defined when used in a ClusterSecretStore.
  7232. maxLength: 63
  7233. minLength: 1
  7234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7235. type: string
  7236. type:
  7237. description: The type of provider to use such as "Secret", or "ConfigMap".
  7238. enum:
  7239. - Secret
  7240. - ConfigMap
  7241. type: string
  7242. required:
  7243. - name
  7244. - type
  7245. type: object
  7246. domain:
  7247. description: Domain is the secret server domain.
  7248. type: string
  7249. password:
  7250. description: Password is the secret server account password.
  7251. properties:
  7252. secretRef:
  7253. description: SecretRef references a key in a secret that will be used as value.
  7254. properties:
  7255. key:
  7256. description: |-
  7257. A key in the referenced Secret.
  7258. Some instances of this field may be defaulted, in others it may be required.
  7259. maxLength: 253
  7260. minLength: 1
  7261. pattern: ^[-._a-zA-Z0-9]+$
  7262. type: string
  7263. name:
  7264. description: The name of the Secret resource being referred to.
  7265. maxLength: 253
  7266. minLength: 1
  7267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7268. type: string
  7269. namespace:
  7270. description: |-
  7271. The namespace of the Secret resource being referred to.
  7272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7273. maxLength: 63
  7274. minLength: 1
  7275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7276. type: string
  7277. type: object
  7278. value:
  7279. description: Value can be specified directly to set a value without using a secret.
  7280. type: string
  7281. type: object
  7282. serverURL:
  7283. description: |-
  7284. ServerURL
  7285. URL to your secret server installation
  7286. type: string
  7287. username:
  7288. description: Username is the secret server account username.
  7289. properties:
  7290. secretRef:
  7291. description: SecretRef references a key in a secret that will be used as value.
  7292. properties:
  7293. key:
  7294. description: |-
  7295. A key in the referenced Secret.
  7296. Some instances of this field may be defaulted, in others it may be required.
  7297. maxLength: 253
  7298. minLength: 1
  7299. pattern: ^[-._a-zA-Z0-9]+$
  7300. type: string
  7301. name:
  7302. description: The name of the Secret resource being referred to.
  7303. maxLength: 253
  7304. minLength: 1
  7305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7306. type: string
  7307. namespace:
  7308. description: |-
  7309. The namespace of the Secret resource being referred to.
  7310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7311. maxLength: 63
  7312. minLength: 1
  7313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7314. type: string
  7315. type: object
  7316. value:
  7317. description: Value can be specified directly to set a value without using a secret.
  7318. type: string
  7319. type: object
  7320. required:
  7321. - password
  7322. - serverURL
  7323. - username
  7324. type: object
  7325. senhasegura:
  7326. description: Senhasegura configures this store to sync secrets using senhasegura provider
  7327. properties:
  7328. auth:
  7329. description: Auth defines parameters to authenticate in senhasegura
  7330. properties:
  7331. clientId:
  7332. type: string
  7333. clientSecretSecretRef:
  7334. description: |-
  7335. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7336. In some instances, `key` is a required field.
  7337. properties:
  7338. key:
  7339. description: |-
  7340. A key in the referenced Secret.
  7341. Some instances of this field may be defaulted, in others it may be required.
  7342. maxLength: 253
  7343. minLength: 1
  7344. pattern: ^[-._a-zA-Z0-9]+$
  7345. type: string
  7346. name:
  7347. description: The name of the Secret resource being referred to.
  7348. maxLength: 253
  7349. minLength: 1
  7350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7351. type: string
  7352. namespace:
  7353. description: |-
  7354. The namespace of the Secret resource being referred to.
  7355. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7356. maxLength: 63
  7357. minLength: 1
  7358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7359. type: string
  7360. type: object
  7361. required:
  7362. - clientId
  7363. - clientSecretSecretRef
  7364. type: object
  7365. ignoreSslCertificate:
  7366. default: false
  7367. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  7368. type: boolean
  7369. module:
  7370. description: Module defines which senhasegura module should be used to get secrets
  7371. type: string
  7372. url:
  7373. description: URL of senhasegura
  7374. type: string
  7375. required:
  7376. - auth
  7377. - module
  7378. - url
  7379. type: object
  7380. vault:
  7381. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  7382. properties:
  7383. auth:
  7384. description: Auth configures how secret-manager authenticates with the Vault server.
  7385. properties:
  7386. appRole:
  7387. description: |-
  7388. AppRole authenticates with Vault using the App Role auth mechanism,
  7389. with the role and secret stored in a Kubernetes Secret resource.
  7390. properties:
  7391. path:
  7392. default: approle
  7393. description: |-
  7394. Path where the App Role authentication backend is mounted
  7395. in Vault, e.g: "approle"
  7396. type: string
  7397. roleId:
  7398. description: |-
  7399. RoleID configured in the App Role authentication backend when setting
  7400. up the authentication backend in Vault.
  7401. type: string
  7402. roleRef:
  7403. description: |-
  7404. Reference to a key in a Secret that contains the App Role ID used
  7405. to authenticate with Vault.
  7406. The `key` field must be specified and denotes which entry within the Secret
  7407. resource is used as the app role id.
  7408. properties:
  7409. key:
  7410. description: |-
  7411. A key in the referenced Secret.
  7412. Some instances of this field may be defaulted, in others it may be required.
  7413. maxLength: 253
  7414. minLength: 1
  7415. pattern: ^[-._a-zA-Z0-9]+$
  7416. type: string
  7417. name:
  7418. description: The name of the Secret resource being referred to.
  7419. maxLength: 253
  7420. minLength: 1
  7421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7422. type: string
  7423. namespace:
  7424. description: |-
  7425. The namespace of the Secret resource being referred to.
  7426. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7427. maxLength: 63
  7428. minLength: 1
  7429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7430. type: string
  7431. type: object
  7432. secretRef:
  7433. description: |-
  7434. Reference to a key in a Secret that contains the App Role secret used
  7435. to authenticate with Vault.
  7436. The `key` field must be specified and denotes which entry within the Secret
  7437. resource is used as the app role secret.
  7438. properties:
  7439. key:
  7440. description: |-
  7441. A key in the referenced Secret.
  7442. Some instances of this field may be defaulted, in others it may be required.
  7443. maxLength: 253
  7444. minLength: 1
  7445. pattern: ^[-._a-zA-Z0-9]+$
  7446. type: string
  7447. name:
  7448. description: The name of the Secret resource being referred to.
  7449. maxLength: 253
  7450. minLength: 1
  7451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7452. type: string
  7453. namespace:
  7454. description: |-
  7455. The namespace of the Secret resource being referred to.
  7456. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7457. maxLength: 63
  7458. minLength: 1
  7459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7460. type: string
  7461. type: object
  7462. required:
  7463. - path
  7464. - secretRef
  7465. type: object
  7466. cert:
  7467. description: |-
  7468. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7469. Cert authentication method
  7470. properties:
  7471. clientCert:
  7472. description: |-
  7473. ClientCert is a certificate to authenticate using the Cert Vault
  7474. authentication method
  7475. properties:
  7476. key:
  7477. description: |-
  7478. A key in the referenced Secret.
  7479. Some instances of this field may be defaulted, in others it may be required.
  7480. maxLength: 253
  7481. minLength: 1
  7482. pattern: ^[-._a-zA-Z0-9]+$
  7483. type: string
  7484. name:
  7485. description: The name of the Secret resource being referred to.
  7486. maxLength: 253
  7487. minLength: 1
  7488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7489. type: string
  7490. namespace:
  7491. description: |-
  7492. The namespace of the Secret resource being referred to.
  7493. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7494. maxLength: 63
  7495. minLength: 1
  7496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7497. type: string
  7498. type: object
  7499. path:
  7500. default: cert
  7501. description: |-
  7502. Path where the Certificate authentication backend is mounted
  7503. in Vault, e.g: "cert"
  7504. type: string
  7505. secretRef:
  7506. description: |-
  7507. SecretRef to a key in a Secret resource containing client private key to
  7508. authenticate with Vault using the Cert authentication method
  7509. properties:
  7510. key:
  7511. description: |-
  7512. A key in the referenced Secret.
  7513. Some instances of this field may be defaulted, in others it may be required.
  7514. maxLength: 253
  7515. minLength: 1
  7516. pattern: ^[-._a-zA-Z0-9]+$
  7517. type: string
  7518. name:
  7519. description: The name of the Secret resource being referred to.
  7520. maxLength: 253
  7521. minLength: 1
  7522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7523. type: string
  7524. namespace:
  7525. description: |-
  7526. The namespace of the Secret resource being referred to.
  7527. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7528. maxLength: 63
  7529. minLength: 1
  7530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7531. type: string
  7532. type: object
  7533. vaultRole:
  7534. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7535. type: string
  7536. type: object
  7537. gcp:
  7538. description: |-
  7539. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7540. GCP authentication method
  7541. properties:
  7542. location:
  7543. description: Location optionally defines a location/region for the secret
  7544. type: string
  7545. path:
  7546. default: gcp
  7547. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7548. type: string
  7549. projectID:
  7550. description: Project ID of the Google Cloud Platform project
  7551. type: string
  7552. role:
  7553. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7554. type: string
  7555. secretRef:
  7556. description: Specify credentials in a Secret object
  7557. properties:
  7558. secretAccessKeySecretRef:
  7559. description: The SecretAccessKey is used for authentication
  7560. properties:
  7561. key:
  7562. description: |-
  7563. A key in the referenced Secret.
  7564. Some instances of this field may be defaulted, in others it may be required.
  7565. maxLength: 253
  7566. minLength: 1
  7567. pattern: ^[-._a-zA-Z0-9]+$
  7568. type: string
  7569. name:
  7570. description: The name of the Secret resource being referred to.
  7571. maxLength: 253
  7572. minLength: 1
  7573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7574. type: string
  7575. namespace:
  7576. description: |-
  7577. The namespace of the Secret resource being referred to.
  7578. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7579. maxLength: 63
  7580. minLength: 1
  7581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7582. type: string
  7583. type: object
  7584. type: object
  7585. serviceAccountRef:
  7586. description: ServiceAccountRef to a service account for impersonation
  7587. properties:
  7588. audiences:
  7589. description: |-
  7590. Audience specifies the `aud` claim for the service account token
  7591. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7592. then this audiences will be appended to the list
  7593. items:
  7594. type: string
  7595. type: array
  7596. name:
  7597. description: The name of the ServiceAccount resource being referred to.
  7598. maxLength: 253
  7599. minLength: 1
  7600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7601. type: string
  7602. namespace:
  7603. description: |-
  7604. Namespace of the resource being referred to.
  7605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7606. maxLength: 63
  7607. minLength: 1
  7608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7609. type: string
  7610. required:
  7611. - name
  7612. type: object
  7613. workloadIdentity:
  7614. description: Specify a service account with Workload Identity
  7615. properties:
  7616. clusterLocation:
  7617. description: |-
  7618. ClusterLocation is the location of the cluster
  7619. If not specified, it fetches information from the metadata server
  7620. type: string
  7621. clusterName:
  7622. description: |-
  7623. ClusterName is the name of the cluster
  7624. If not specified, it fetches information from the metadata server
  7625. type: string
  7626. clusterProjectID:
  7627. description: |-
  7628. ClusterProjectID is the project ID of the cluster
  7629. If not specified, it fetches information from the metadata server
  7630. type: string
  7631. serviceAccountRef:
  7632. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7633. properties:
  7634. audiences:
  7635. description: |-
  7636. Audience specifies the `aud` claim for the service account token
  7637. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7638. then this audiences will be appended to the list
  7639. items:
  7640. type: string
  7641. type: array
  7642. name:
  7643. description: The name of the ServiceAccount resource being referred to.
  7644. maxLength: 253
  7645. minLength: 1
  7646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7647. type: string
  7648. namespace:
  7649. description: |-
  7650. Namespace of the resource being referred to.
  7651. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7652. maxLength: 63
  7653. minLength: 1
  7654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7655. type: string
  7656. required:
  7657. - name
  7658. type: object
  7659. required:
  7660. - serviceAccountRef
  7661. type: object
  7662. required:
  7663. - role
  7664. type: object
  7665. iam:
  7666. description: |-
  7667. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7668. AWS IAM authentication method
  7669. properties:
  7670. externalID:
  7671. description: AWS External ID set on assumed IAM roles
  7672. type: string
  7673. jwt:
  7674. description: Specify a service account with IRSA enabled
  7675. properties:
  7676. serviceAccountRef:
  7677. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7678. properties:
  7679. audiences:
  7680. description: |-
  7681. Audience specifies the `aud` claim for the service account token
  7682. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7683. then this audiences will be appended to the list
  7684. items:
  7685. type: string
  7686. type: array
  7687. name:
  7688. description: The name of the ServiceAccount resource being referred to.
  7689. maxLength: 253
  7690. minLength: 1
  7691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7692. type: string
  7693. namespace:
  7694. description: |-
  7695. Namespace of the resource being referred to.
  7696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7697. maxLength: 63
  7698. minLength: 1
  7699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7700. type: string
  7701. required:
  7702. - name
  7703. type: object
  7704. type: object
  7705. path:
  7706. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7707. type: string
  7708. region:
  7709. description: AWS region
  7710. type: string
  7711. role:
  7712. description: This is the AWS role to be assumed before talking to vault
  7713. type: string
  7714. secretRef:
  7715. description: Specify credentials in a Secret object
  7716. properties:
  7717. accessKeyIDSecretRef:
  7718. description: The AccessKeyID is used for authentication
  7719. properties:
  7720. key:
  7721. description: |-
  7722. A key in the referenced Secret.
  7723. Some instances of this field may be defaulted, in others it may be required.
  7724. maxLength: 253
  7725. minLength: 1
  7726. pattern: ^[-._a-zA-Z0-9]+$
  7727. type: string
  7728. name:
  7729. description: The name of the Secret resource being referred to.
  7730. maxLength: 253
  7731. minLength: 1
  7732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7733. type: string
  7734. namespace:
  7735. description: |-
  7736. The namespace of the Secret resource being referred to.
  7737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7738. maxLength: 63
  7739. minLength: 1
  7740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7741. type: string
  7742. type: object
  7743. secretAccessKeySecretRef:
  7744. description: The SecretAccessKey is used for authentication
  7745. properties:
  7746. key:
  7747. description: |-
  7748. A key in the referenced Secret.
  7749. Some instances of this field may be defaulted, in others it may be required.
  7750. maxLength: 253
  7751. minLength: 1
  7752. pattern: ^[-._a-zA-Z0-9]+$
  7753. type: string
  7754. name:
  7755. description: The name of the Secret resource being referred to.
  7756. maxLength: 253
  7757. minLength: 1
  7758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7759. type: string
  7760. namespace:
  7761. description: |-
  7762. The namespace of the Secret resource being referred to.
  7763. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7764. maxLength: 63
  7765. minLength: 1
  7766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7767. type: string
  7768. type: object
  7769. sessionTokenSecretRef:
  7770. description: |-
  7771. The SessionToken used for authentication
  7772. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7773. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7774. properties:
  7775. key:
  7776. description: |-
  7777. A key in the referenced Secret.
  7778. Some instances of this field may be defaulted, in others it may be required.
  7779. maxLength: 253
  7780. minLength: 1
  7781. pattern: ^[-._a-zA-Z0-9]+$
  7782. type: string
  7783. name:
  7784. description: The name of the Secret resource being referred to.
  7785. maxLength: 253
  7786. minLength: 1
  7787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7788. type: string
  7789. namespace:
  7790. description: |-
  7791. The namespace of the Secret resource being referred to.
  7792. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7793. maxLength: 63
  7794. minLength: 1
  7795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7796. type: string
  7797. type: object
  7798. type: object
  7799. vaultAwsIamServerID:
  7800. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7801. type: string
  7802. vaultRole:
  7803. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7804. type: string
  7805. required:
  7806. - vaultRole
  7807. type: object
  7808. jwt:
  7809. description: |-
  7810. Jwt authenticates with Vault by passing role and JWT token using the
  7811. JWT/OIDC authentication method
  7812. properties:
  7813. kubernetesServiceAccountToken:
  7814. description: |-
  7815. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7816. a token for with the `TokenRequest` API.
  7817. properties:
  7818. audiences:
  7819. description: |-
  7820. Optional audiences field that will be used to request a temporary Kubernetes service
  7821. account token for the service account referenced by `serviceAccountRef`.
  7822. Defaults to a single audience `vault` it not specified.
  7823. Deprecated: use serviceAccountRef.Audiences instead
  7824. items:
  7825. type: string
  7826. type: array
  7827. expirationSeconds:
  7828. description: |-
  7829. Optional expiration time in seconds that will be used to request a temporary
  7830. Kubernetes service account token for the service account referenced by
  7831. `serviceAccountRef`.
  7832. Deprecated: this will be removed in the future.
  7833. Defaults to 10 minutes.
  7834. format: int64
  7835. type: integer
  7836. serviceAccountRef:
  7837. description: Service account field containing the name of a kubernetes ServiceAccount.
  7838. properties:
  7839. audiences:
  7840. description: |-
  7841. Audience specifies the `aud` claim for the service account token
  7842. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7843. then this audiences will be appended to the list
  7844. items:
  7845. type: string
  7846. type: array
  7847. name:
  7848. description: The name of the ServiceAccount resource being referred to.
  7849. maxLength: 253
  7850. minLength: 1
  7851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7852. type: string
  7853. namespace:
  7854. description: |-
  7855. Namespace of the resource being referred to.
  7856. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7857. maxLength: 63
  7858. minLength: 1
  7859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7860. type: string
  7861. required:
  7862. - name
  7863. type: object
  7864. required:
  7865. - serviceAccountRef
  7866. type: object
  7867. path:
  7868. default: jwt
  7869. description: |-
  7870. Path where the JWT authentication backend is mounted
  7871. in Vault, e.g: "jwt"
  7872. type: string
  7873. role:
  7874. description: |-
  7875. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7876. authentication method
  7877. type: string
  7878. secretRef:
  7879. description: |-
  7880. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7881. authenticate with Vault using the JWT/OIDC authentication method.
  7882. properties:
  7883. key:
  7884. description: |-
  7885. A key in the referenced Secret.
  7886. Some instances of this field may be defaulted, in others it may be required.
  7887. maxLength: 253
  7888. minLength: 1
  7889. pattern: ^[-._a-zA-Z0-9]+$
  7890. type: string
  7891. name:
  7892. description: The name of the Secret resource being referred to.
  7893. maxLength: 253
  7894. minLength: 1
  7895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7896. type: string
  7897. namespace:
  7898. description: |-
  7899. The namespace of the Secret resource being referred to.
  7900. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7901. maxLength: 63
  7902. minLength: 1
  7903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7904. type: string
  7905. type: object
  7906. required:
  7907. - path
  7908. type: object
  7909. kubernetes:
  7910. description: |-
  7911. Kubernetes authenticates with Vault by passing the ServiceAccount
  7912. token stored in the named Secret resource to the Vault server.
  7913. properties:
  7914. mountPath:
  7915. default: kubernetes
  7916. description: |-
  7917. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7918. "kubernetes"
  7919. type: string
  7920. role:
  7921. description: |-
  7922. A required field containing the Vault Role to assume. A Role binds a
  7923. Kubernetes ServiceAccount with a set of Vault policies.
  7924. type: string
  7925. secretRef:
  7926. description: |-
  7927. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7928. for authenticating with Vault. If a name is specified without a key,
  7929. `token` is the default. If one is not specified, the one bound to
  7930. the controller will be used.
  7931. properties:
  7932. key:
  7933. description: |-
  7934. A key in the referenced Secret.
  7935. Some instances of this field may be defaulted, in others it may be required.
  7936. maxLength: 253
  7937. minLength: 1
  7938. pattern: ^[-._a-zA-Z0-9]+$
  7939. type: string
  7940. name:
  7941. description: The name of the Secret resource being referred to.
  7942. maxLength: 253
  7943. minLength: 1
  7944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7945. type: string
  7946. namespace:
  7947. description: |-
  7948. The namespace of the Secret resource being referred to.
  7949. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7950. maxLength: 63
  7951. minLength: 1
  7952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7953. type: string
  7954. type: object
  7955. serviceAccountRef:
  7956. description: |-
  7957. Optional service account field containing the name of a kubernetes ServiceAccount.
  7958. If the service account is specified, the service account secret token JWT will be used
  7959. for authenticating with Vault. If the service account selector is not supplied,
  7960. the secretRef will be used instead.
  7961. properties:
  7962. audiences:
  7963. description: |-
  7964. Audience specifies the `aud` claim for the service account token
  7965. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7966. then this audiences will be appended to the list
  7967. items:
  7968. type: string
  7969. type: array
  7970. name:
  7971. description: The name of the ServiceAccount resource being referred to.
  7972. maxLength: 253
  7973. minLength: 1
  7974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7975. type: string
  7976. namespace:
  7977. description: |-
  7978. Namespace of the resource being referred to.
  7979. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7980. maxLength: 63
  7981. minLength: 1
  7982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7983. type: string
  7984. required:
  7985. - name
  7986. type: object
  7987. required:
  7988. - mountPath
  7989. - role
  7990. type: object
  7991. ldap:
  7992. description: |-
  7993. Ldap authenticates with Vault by passing username/password pair using
  7994. the LDAP authentication method
  7995. properties:
  7996. path:
  7997. default: ldap
  7998. description: |-
  7999. Path where the LDAP authentication backend is mounted
  8000. in Vault, e.g: "ldap"
  8001. type: string
  8002. secretRef:
  8003. description: |-
  8004. SecretRef to a key in a Secret resource containing password for the LDAP
  8005. user used to authenticate with Vault using the LDAP authentication
  8006. method
  8007. properties:
  8008. key:
  8009. description: |-
  8010. A key in the referenced Secret.
  8011. Some instances of this field may be defaulted, in others it may be required.
  8012. maxLength: 253
  8013. minLength: 1
  8014. pattern: ^[-._a-zA-Z0-9]+$
  8015. type: string
  8016. name:
  8017. description: The name of the Secret resource being referred to.
  8018. maxLength: 253
  8019. minLength: 1
  8020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8021. type: string
  8022. namespace:
  8023. description: |-
  8024. The namespace of the Secret resource being referred to.
  8025. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8026. maxLength: 63
  8027. minLength: 1
  8028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8029. type: string
  8030. type: object
  8031. username:
  8032. description: |-
  8033. Username is an LDAP username used to authenticate using the LDAP Vault
  8034. authentication method
  8035. type: string
  8036. required:
  8037. - path
  8038. - username
  8039. type: object
  8040. namespace:
  8041. description: |-
  8042. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  8043. Namespaces is a set of features within Vault Enterprise that allows
  8044. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8045. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8046. This will default to Vault.Namespace field if set, or empty otherwise
  8047. type: string
  8048. tokenSecretRef:
  8049. description: TokenSecretRef authenticates with Vault by presenting a token.
  8050. properties:
  8051. key:
  8052. description: |-
  8053. A key in the referenced Secret.
  8054. Some instances of this field may be defaulted, in others it may be required.
  8055. maxLength: 253
  8056. minLength: 1
  8057. pattern: ^[-._a-zA-Z0-9]+$
  8058. type: string
  8059. name:
  8060. description: The name of the Secret resource being referred to.
  8061. maxLength: 253
  8062. minLength: 1
  8063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8064. type: string
  8065. namespace:
  8066. description: |-
  8067. The namespace of the Secret resource being referred to.
  8068. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8069. maxLength: 63
  8070. minLength: 1
  8071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8072. type: string
  8073. type: object
  8074. userPass:
  8075. description: UserPass authenticates with Vault by passing username/password pair
  8076. properties:
  8077. path:
  8078. default: userpass
  8079. description: |-
  8080. Path where the UserPassword authentication backend is mounted
  8081. in Vault, e.g: "userpass"
  8082. type: string
  8083. secretRef:
  8084. description: |-
  8085. SecretRef to a key in a Secret resource containing password for the
  8086. user used to authenticate with Vault using the UserPass authentication
  8087. method
  8088. properties:
  8089. key:
  8090. description: |-
  8091. A key in the referenced Secret.
  8092. Some instances of this field may be defaulted, in others it may be required.
  8093. maxLength: 253
  8094. minLength: 1
  8095. pattern: ^[-._a-zA-Z0-9]+$
  8096. type: string
  8097. name:
  8098. description: The name of the Secret resource being referred to.
  8099. maxLength: 253
  8100. minLength: 1
  8101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8102. type: string
  8103. namespace:
  8104. description: |-
  8105. The namespace of the Secret resource being referred to.
  8106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8107. maxLength: 63
  8108. minLength: 1
  8109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8110. type: string
  8111. type: object
  8112. username:
  8113. description: |-
  8114. Username is a username used to authenticate using the UserPass Vault
  8115. authentication method
  8116. type: string
  8117. required:
  8118. - path
  8119. - username
  8120. type: object
  8121. type: object
  8122. caBundle:
  8123. description: |-
  8124. PEM encoded CA bundle used to validate Vault server certificate. Only used
  8125. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8126. plain HTTP protocol connection. If not set the system root certificates
  8127. are used to validate the TLS connection.
  8128. format: byte
  8129. type: string
  8130. caProvider:
  8131. description: The provider for the CA bundle to use to validate Vault server certificate.
  8132. properties:
  8133. key:
  8134. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8135. maxLength: 253
  8136. minLength: 1
  8137. pattern: ^[-._a-zA-Z0-9]+$
  8138. type: string
  8139. name:
  8140. description: The name of the object located at the provider type.
  8141. maxLength: 253
  8142. minLength: 1
  8143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8144. type: string
  8145. namespace:
  8146. description: |-
  8147. The namespace the Provider type is in.
  8148. Can only be defined when used in a ClusterSecretStore.
  8149. maxLength: 63
  8150. minLength: 1
  8151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8152. type: string
  8153. type:
  8154. description: The type of provider to use such as "Secret", or "ConfigMap".
  8155. enum:
  8156. - Secret
  8157. - ConfigMap
  8158. type: string
  8159. required:
  8160. - name
  8161. - type
  8162. type: object
  8163. checkAndSet:
  8164. description: |-
  8165. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  8166. Only applies to Vault KV v2 stores. When enabled, write operations must include
  8167. the current version of the secret to prevent unintentional overwrites.
  8168. properties:
  8169. required:
  8170. description: |-
  8171. Required when true, all write operations must include a check-and-set parameter.
  8172. This helps prevent unintentional overwrites of secrets.
  8173. type: boolean
  8174. type: object
  8175. forwardInconsistent:
  8176. description: |-
  8177. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  8178. leader instead of simply retrying within a loop. This can increase performance if
  8179. the option is enabled serverside.
  8180. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8181. type: boolean
  8182. headers:
  8183. additionalProperties:
  8184. type: string
  8185. description: Headers to be added in Vault request
  8186. type: object
  8187. namespace:
  8188. description: |-
  8189. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  8190. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8191. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8192. type: string
  8193. path:
  8194. description: |-
  8195. Path is the mount path of the Vault KV backend endpoint, e.g:
  8196. "secret". The v2 KV secret engine version specific "/data" path suffix
  8197. for fetching secrets from Vault is optional and will be appended
  8198. if not present in specified path.
  8199. type: string
  8200. readYourWrites:
  8201. description: |-
  8202. ReadYourWrites ensures isolated read-after-write semantics by
  8203. providing discovered cluster replication states in each request.
  8204. More information about eventual consistency in Vault can be found here
  8205. https://www.vaultproject.io/docs/enterprise/consistency
  8206. type: boolean
  8207. server:
  8208. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  8209. type: string
  8210. tls:
  8211. description: |-
  8212. The configuration used for client side related TLS communication, when the Vault server
  8213. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  8214. This parameter is ignored for plain HTTP protocol connection.
  8215. It's worth noting this configuration is different from the "TLS certificates auth method",
  8216. which is available under the `auth.cert` section.
  8217. properties:
  8218. certSecretRef:
  8219. description: |-
  8220. CertSecretRef is a certificate added to the transport layer
  8221. when communicating with the Vault server.
  8222. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  8223. properties:
  8224. key:
  8225. description: |-
  8226. A key in the referenced Secret.
  8227. Some instances of this field may be defaulted, in others it may be required.
  8228. maxLength: 253
  8229. minLength: 1
  8230. pattern: ^[-._a-zA-Z0-9]+$
  8231. type: string
  8232. name:
  8233. description: The name of the Secret resource being referred to.
  8234. maxLength: 253
  8235. minLength: 1
  8236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8237. type: string
  8238. namespace:
  8239. description: |-
  8240. The namespace of the Secret resource being referred to.
  8241. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8242. maxLength: 63
  8243. minLength: 1
  8244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8245. type: string
  8246. type: object
  8247. keySecretRef:
  8248. description: |-
  8249. KeySecretRef to a key in a Secret resource containing client private key
  8250. added to the transport layer when communicating with the Vault server.
  8251. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  8252. properties:
  8253. key:
  8254. description: |-
  8255. A key in the referenced Secret.
  8256. Some instances of this field may be defaulted, in others it may be required.
  8257. maxLength: 253
  8258. minLength: 1
  8259. pattern: ^[-._a-zA-Z0-9]+$
  8260. type: string
  8261. name:
  8262. description: The name of the Secret resource being referred to.
  8263. maxLength: 253
  8264. minLength: 1
  8265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8266. type: string
  8267. namespace:
  8268. description: |-
  8269. The namespace of the Secret resource being referred to.
  8270. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8271. maxLength: 63
  8272. minLength: 1
  8273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8274. type: string
  8275. type: object
  8276. type: object
  8277. version:
  8278. default: v2
  8279. description: |-
  8280. Version is the Vault KV secret engine version. This can be either "v1" or
  8281. "v2". Version defaults to "v2".
  8282. enum:
  8283. - v1
  8284. - v2
  8285. type: string
  8286. required:
  8287. - server
  8288. type: object
  8289. volcengine:
  8290. description: Volcengine configures this store to sync secrets using the Volcengine provider
  8291. properties:
  8292. auth:
  8293. description: |-
  8294. Auth defines the authentication method to use.
  8295. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  8296. properties:
  8297. secretRef:
  8298. description: |-
  8299. SecretRef defines the static credentials to use for authentication.
  8300. If not set, IRSA is used.
  8301. properties:
  8302. accessKeyID:
  8303. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  8304. properties:
  8305. key:
  8306. description: |-
  8307. A key in the referenced Secret.
  8308. Some instances of this field may be defaulted, in others it may be required.
  8309. maxLength: 253
  8310. minLength: 1
  8311. pattern: ^[-._a-zA-Z0-9]+$
  8312. type: string
  8313. name:
  8314. description: The name of the Secret resource being referred to.
  8315. maxLength: 253
  8316. minLength: 1
  8317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8318. type: string
  8319. namespace:
  8320. description: |-
  8321. The namespace of the Secret resource being referred to.
  8322. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8323. maxLength: 63
  8324. minLength: 1
  8325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8326. type: string
  8327. type: object
  8328. secretAccessKey:
  8329. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  8330. properties:
  8331. key:
  8332. description: |-
  8333. A key in the referenced Secret.
  8334. Some instances of this field may be defaulted, in others it may be required.
  8335. maxLength: 253
  8336. minLength: 1
  8337. pattern: ^[-._a-zA-Z0-9]+$
  8338. type: string
  8339. name:
  8340. description: The name of the Secret resource being referred to.
  8341. maxLength: 253
  8342. minLength: 1
  8343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8344. type: string
  8345. namespace:
  8346. description: |-
  8347. The namespace of the Secret resource being referred to.
  8348. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8349. maxLength: 63
  8350. minLength: 1
  8351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8352. type: string
  8353. type: object
  8354. token:
  8355. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  8356. properties:
  8357. key:
  8358. description: |-
  8359. A key in the referenced Secret.
  8360. Some instances of this field may be defaulted, in others it may be required.
  8361. maxLength: 253
  8362. minLength: 1
  8363. pattern: ^[-._a-zA-Z0-9]+$
  8364. type: string
  8365. name:
  8366. description: The name of the Secret resource being referred to.
  8367. maxLength: 253
  8368. minLength: 1
  8369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8370. type: string
  8371. namespace:
  8372. description: |-
  8373. The namespace of the Secret resource being referred to.
  8374. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8375. maxLength: 63
  8376. minLength: 1
  8377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8378. type: string
  8379. type: object
  8380. required:
  8381. - accessKeyID
  8382. - secretAccessKey
  8383. type: object
  8384. type: object
  8385. region:
  8386. description: Region specifies the Volcengine region to connect to.
  8387. type: string
  8388. required:
  8389. - region
  8390. type: object
  8391. webhook:
  8392. description: Webhook configures this store to sync secrets using a generic templated webhook
  8393. properties:
  8394. auth:
  8395. description: Auth specifies a authorization protocol. Only one protocol may be set.
  8396. maxProperties: 1
  8397. minProperties: 1
  8398. properties:
  8399. ntlm:
  8400. description: NTLMProtocol configures the store to use NTLM for auth
  8401. properties:
  8402. passwordSecret:
  8403. description: |-
  8404. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8405. In some instances, `key` is a required field.
  8406. properties:
  8407. key:
  8408. description: |-
  8409. A key in the referenced Secret.
  8410. Some instances of this field may be defaulted, in others it may be required.
  8411. maxLength: 253
  8412. minLength: 1
  8413. pattern: ^[-._a-zA-Z0-9]+$
  8414. type: string
  8415. name:
  8416. description: The name of the Secret resource being referred to.
  8417. maxLength: 253
  8418. minLength: 1
  8419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8420. type: string
  8421. namespace:
  8422. description: |-
  8423. The namespace of the Secret resource being referred to.
  8424. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8425. maxLength: 63
  8426. minLength: 1
  8427. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8428. type: string
  8429. type: object
  8430. usernameSecret:
  8431. description: |-
  8432. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8433. In some instances, `key` is a required field.
  8434. properties:
  8435. key:
  8436. description: |-
  8437. A key in the referenced Secret.
  8438. Some instances of this field may be defaulted, in others it may be required.
  8439. maxLength: 253
  8440. minLength: 1
  8441. pattern: ^[-._a-zA-Z0-9]+$
  8442. type: string
  8443. name:
  8444. description: The name of the Secret resource being referred to.
  8445. maxLength: 253
  8446. minLength: 1
  8447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8448. type: string
  8449. namespace:
  8450. description: |-
  8451. The namespace of the Secret resource being referred to.
  8452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8453. maxLength: 63
  8454. minLength: 1
  8455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8456. type: string
  8457. type: object
  8458. required:
  8459. - passwordSecret
  8460. - usernameSecret
  8461. type: object
  8462. type: object
  8463. body:
  8464. description: Body
  8465. type: string
  8466. caBundle:
  8467. description: |-
  8468. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8469. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8470. plain HTTP protocol connection. If not set the system root certificates
  8471. are used to validate the TLS connection.
  8472. format: byte
  8473. type: string
  8474. caProvider:
  8475. description: The provider for the CA bundle to use to validate webhook server certificate.
  8476. properties:
  8477. key:
  8478. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8479. maxLength: 253
  8480. minLength: 1
  8481. pattern: ^[-._a-zA-Z0-9]+$
  8482. type: string
  8483. name:
  8484. description: The name of the object located at the provider type.
  8485. maxLength: 253
  8486. minLength: 1
  8487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8488. type: string
  8489. namespace:
  8490. description: The namespace the Provider type is in.
  8491. maxLength: 63
  8492. minLength: 1
  8493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8494. type: string
  8495. type:
  8496. description: The type of provider to use such as "Secret", or "ConfigMap".
  8497. enum:
  8498. - Secret
  8499. - ConfigMap
  8500. type: string
  8501. required:
  8502. - name
  8503. - type
  8504. type: object
  8505. headers:
  8506. additionalProperties:
  8507. type: string
  8508. description: Headers
  8509. type: object
  8510. method:
  8511. description: Webhook Method
  8512. type: string
  8513. result:
  8514. description: Result formatting
  8515. properties:
  8516. jsonPath:
  8517. description: Json path of return value
  8518. type: string
  8519. type: object
  8520. secrets:
  8521. description: |-
  8522. Secrets to fill in templates
  8523. These secrets will be passed to the templating function as key value pairs under the given name
  8524. items:
  8525. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8526. properties:
  8527. name:
  8528. description: Name of this secret in templates
  8529. type: string
  8530. secretRef:
  8531. description: Secret ref to fill in credentials
  8532. properties:
  8533. key:
  8534. description: |-
  8535. A key in the referenced Secret.
  8536. Some instances of this field may be defaulted, in others it may be required.
  8537. maxLength: 253
  8538. minLength: 1
  8539. pattern: ^[-._a-zA-Z0-9]+$
  8540. type: string
  8541. name:
  8542. description: The name of the Secret resource being referred to.
  8543. maxLength: 253
  8544. minLength: 1
  8545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8546. type: string
  8547. namespace:
  8548. description: |-
  8549. The namespace of the Secret resource being referred to.
  8550. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8551. maxLength: 63
  8552. minLength: 1
  8553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8554. type: string
  8555. type: object
  8556. required:
  8557. - name
  8558. - secretRef
  8559. type: object
  8560. type: array
  8561. timeout:
  8562. description: Timeout
  8563. type: string
  8564. url:
  8565. description: Webhook url to call
  8566. type: string
  8567. required:
  8568. - url
  8569. type: object
  8570. yandexcertificatemanager:
  8571. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8572. properties:
  8573. apiEndpoint:
  8574. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8575. type: string
  8576. auth:
  8577. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8578. properties:
  8579. authorizedKeySecretRef:
  8580. description: The authorized key used for authentication
  8581. properties:
  8582. key:
  8583. description: |-
  8584. A key in the referenced Secret.
  8585. Some instances of this field may be defaulted, in others it may be required.
  8586. maxLength: 253
  8587. minLength: 1
  8588. pattern: ^[-._a-zA-Z0-9]+$
  8589. type: string
  8590. name:
  8591. description: The name of the Secret resource being referred to.
  8592. maxLength: 253
  8593. minLength: 1
  8594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8595. type: string
  8596. namespace:
  8597. description: |-
  8598. The namespace of the Secret resource being referred to.
  8599. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8600. maxLength: 63
  8601. minLength: 1
  8602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8603. type: string
  8604. type: object
  8605. type: object
  8606. caProvider:
  8607. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8608. properties:
  8609. certSecretRef:
  8610. description: |-
  8611. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8612. In some instances, `key` is a required field.
  8613. properties:
  8614. key:
  8615. description: |-
  8616. A key in the referenced Secret.
  8617. Some instances of this field may be defaulted, in others it may be required.
  8618. maxLength: 253
  8619. minLength: 1
  8620. pattern: ^[-._a-zA-Z0-9]+$
  8621. type: string
  8622. name:
  8623. description: The name of the Secret resource being referred to.
  8624. maxLength: 253
  8625. minLength: 1
  8626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8627. type: string
  8628. namespace:
  8629. description: |-
  8630. The namespace of the Secret resource being referred to.
  8631. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8632. maxLength: 63
  8633. minLength: 1
  8634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8635. type: string
  8636. type: object
  8637. type: object
  8638. fetching:
  8639. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8640. maxProperties: 1
  8641. minProperties: 1
  8642. properties:
  8643. byID:
  8644. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8645. type: object
  8646. byName:
  8647. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8648. properties:
  8649. folderID:
  8650. description: The folder to fetch secrets from
  8651. type: string
  8652. required:
  8653. - folderID
  8654. type: object
  8655. type: object
  8656. required:
  8657. - auth
  8658. type: object
  8659. yandexlockbox:
  8660. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8661. properties:
  8662. apiEndpoint:
  8663. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8664. type: string
  8665. auth:
  8666. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8667. properties:
  8668. authorizedKeySecretRef:
  8669. description: The authorized key used for authentication
  8670. properties:
  8671. key:
  8672. description: |-
  8673. A key in the referenced Secret.
  8674. Some instances of this field may be defaulted, in others it may be required.
  8675. maxLength: 253
  8676. minLength: 1
  8677. pattern: ^[-._a-zA-Z0-9]+$
  8678. type: string
  8679. name:
  8680. description: The name of the Secret resource being referred to.
  8681. maxLength: 253
  8682. minLength: 1
  8683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8684. type: string
  8685. namespace:
  8686. description: |-
  8687. The namespace of the Secret resource being referred to.
  8688. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8689. maxLength: 63
  8690. minLength: 1
  8691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8692. type: string
  8693. type: object
  8694. type: object
  8695. caProvider:
  8696. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8697. properties:
  8698. certSecretRef:
  8699. description: |-
  8700. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8701. In some instances, `key` is a required field.
  8702. properties:
  8703. key:
  8704. description: |-
  8705. A key in the referenced Secret.
  8706. Some instances of this field may be defaulted, in others it may be required.
  8707. maxLength: 253
  8708. minLength: 1
  8709. pattern: ^[-._a-zA-Z0-9]+$
  8710. type: string
  8711. name:
  8712. description: The name of the Secret resource being referred to.
  8713. maxLength: 253
  8714. minLength: 1
  8715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8716. type: string
  8717. namespace:
  8718. description: |-
  8719. The namespace of the Secret resource being referred to.
  8720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8721. maxLength: 63
  8722. minLength: 1
  8723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8724. type: string
  8725. type: object
  8726. type: object
  8727. fetching:
  8728. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8729. maxProperties: 1
  8730. minProperties: 1
  8731. properties:
  8732. byID:
  8733. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8734. type: object
  8735. byName:
  8736. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8737. properties:
  8738. folderID:
  8739. description: The folder to fetch secrets from
  8740. type: string
  8741. required:
  8742. - folderID
  8743. type: object
  8744. type: object
  8745. required:
  8746. - auth
  8747. type: object
  8748. type: object
  8749. refreshInterval:
  8750. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8751. type: integer
  8752. retrySettings:
  8753. description: Used to configure HTTP retries on failures.
  8754. properties:
  8755. maxRetries:
  8756. format: int32
  8757. type: integer
  8758. retryInterval:
  8759. type: string
  8760. type: object
  8761. required:
  8762. - provider
  8763. type: object
  8764. status:
  8765. description: SecretStoreStatus defines the observed state of the SecretStore.
  8766. properties:
  8767. capabilities:
  8768. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8769. type: string
  8770. conditions:
  8771. items:
  8772. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8773. properties:
  8774. lastTransitionTime:
  8775. format: date-time
  8776. type: string
  8777. message:
  8778. type: string
  8779. reason:
  8780. type: string
  8781. status:
  8782. type: string
  8783. type:
  8784. description: SecretStoreConditionType represents the condition of the SecretStore.
  8785. type: string
  8786. required:
  8787. - status
  8788. - type
  8789. type: object
  8790. type: array
  8791. type: object
  8792. type: object
  8793. served: true
  8794. storage: true
  8795. subresources:
  8796. status: {}
  8797. - additionalPrinterColumns:
  8798. - jsonPath: .metadata.creationTimestamp
  8799. name: AGE
  8800. type: date
  8801. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8802. name: Status
  8803. type: string
  8804. - jsonPath: .status.capabilities
  8805. name: Capabilities
  8806. type: string
  8807. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8808. name: Ready
  8809. type: string
  8810. deprecated: true
  8811. name: v1beta1
  8812. schema:
  8813. openAPIV3Schema:
  8814. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8815. properties:
  8816. apiVersion:
  8817. description: |-
  8818. APIVersion defines the versioned schema of this representation of an object.
  8819. Servers should convert recognized schemas to the latest internal value, and
  8820. may reject unrecognized values.
  8821. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8822. type: string
  8823. kind:
  8824. description: |-
  8825. Kind is a string value representing the REST resource this object represents.
  8826. Servers may infer this from the endpoint the client submits requests to.
  8827. Cannot be updated.
  8828. In CamelCase.
  8829. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8830. type: string
  8831. metadata:
  8832. type: object
  8833. spec:
  8834. description: SecretStoreSpec defines the desired state of SecretStore.
  8835. properties:
  8836. conditions:
  8837. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8838. items:
  8839. description: |-
  8840. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8841. for a ClusterSecretStore instance.
  8842. properties:
  8843. namespaceRegexes:
  8844. description: Choose namespaces by using regex matching
  8845. items:
  8846. type: string
  8847. type: array
  8848. namespaceSelector:
  8849. description: Choose namespace using a labelSelector
  8850. properties:
  8851. matchExpressions:
  8852. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8853. items:
  8854. description: |-
  8855. A label selector requirement is a selector that contains values, a key, and an operator that
  8856. relates the key and values.
  8857. properties:
  8858. key:
  8859. description: key is the label key that the selector applies to.
  8860. type: string
  8861. operator:
  8862. description: |-
  8863. operator represents a key's relationship to a set of values.
  8864. Valid operators are In, NotIn, Exists and DoesNotExist.
  8865. type: string
  8866. values:
  8867. description: |-
  8868. values is an array of string values. If the operator is In or NotIn,
  8869. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8870. the values array must be empty. This array is replaced during a strategic
  8871. merge patch.
  8872. items:
  8873. type: string
  8874. type: array
  8875. x-kubernetes-list-type: atomic
  8876. required:
  8877. - key
  8878. - operator
  8879. type: object
  8880. type: array
  8881. x-kubernetes-list-type: atomic
  8882. matchLabels:
  8883. additionalProperties:
  8884. type: string
  8885. description: |-
  8886. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8887. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8888. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8889. type: object
  8890. type: object
  8891. x-kubernetes-map-type: atomic
  8892. namespaces:
  8893. description: Choose namespaces by name
  8894. items:
  8895. maxLength: 63
  8896. minLength: 1
  8897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8898. type: string
  8899. type: array
  8900. type: object
  8901. type: array
  8902. controller:
  8903. description: |-
  8904. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8905. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8906. type: string
  8907. provider:
  8908. description: Used to configure the provider. Only one provider may be set
  8909. maxProperties: 1
  8910. minProperties: 1
  8911. properties:
  8912. akeyless:
  8913. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8914. properties:
  8915. akeylessGWApiURL:
  8916. description: Akeyless GW API Url from which the secrets to be fetched from.
  8917. type: string
  8918. authSecretRef:
  8919. description: Auth configures how the operator authenticates with Akeyless.
  8920. properties:
  8921. kubernetesAuth:
  8922. description: |-
  8923. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8924. token stored in the named Secret resource.
  8925. properties:
  8926. accessID:
  8927. description: the Akeyless Kubernetes auth-method access-id
  8928. type: string
  8929. k8sConfName:
  8930. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8931. type: string
  8932. secretRef:
  8933. description: |-
  8934. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8935. for authenticating with Akeyless. If a name is specified without a key,
  8936. `token` is the default. If one is not specified, the one bound to
  8937. the controller will be used.
  8938. properties:
  8939. key:
  8940. description: |-
  8941. A key in the referenced Secret.
  8942. Some instances of this field may be defaulted, in others it may be required.
  8943. maxLength: 253
  8944. minLength: 1
  8945. pattern: ^[-._a-zA-Z0-9]+$
  8946. type: string
  8947. name:
  8948. description: The name of the Secret resource being referred to.
  8949. maxLength: 253
  8950. minLength: 1
  8951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8952. type: string
  8953. namespace:
  8954. description: |-
  8955. The namespace of the Secret resource being referred to.
  8956. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8957. maxLength: 63
  8958. minLength: 1
  8959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8960. type: string
  8961. type: object
  8962. serviceAccountRef:
  8963. description: |-
  8964. Optional service account field containing the name of a kubernetes ServiceAccount.
  8965. If the service account is specified, the service account secret token JWT will be used
  8966. for authenticating with Akeyless. If the service account selector is not supplied,
  8967. the secretRef will be used instead.
  8968. properties:
  8969. audiences:
  8970. description: |-
  8971. Audience specifies the `aud` claim for the service account token
  8972. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8973. then this audiences will be appended to the list
  8974. items:
  8975. type: string
  8976. type: array
  8977. name:
  8978. description: The name of the ServiceAccount resource being referred to.
  8979. maxLength: 253
  8980. minLength: 1
  8981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8982. type: string
  8983. namespace:
  8984. description: |-
  8985. Namespace of the resource being referred to.
  8986. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8987. maxLength: 63
  8988. minLength: 1
  8989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8990. type: string
  8991. required:
  8992. - name
  8993. type: object
  8994. required:
  8995. - accessID
  8996. - k8sConfName
  8997. type: object
  8998. secretRef:
  8999. description: |-
  9000. Reference to a Secret that contains the details
  9001. to authenticate with Akeyless.
  9002. properties:
  9003. accessID:
  9004. description: The SecretAccessID is used for authentication
  9005. properties:
  9006. key:
  9007. description: |-
  9008. A key in the referenced Secret.
  9009. Some instances of this field may be defaulted, in others it may be required.
  9010. maxLength: 253
  9011. minLength: 1
  9012. pattern: ^[-._a-zA-Z0-9]+$
  9013. type: string
  9014. name:
  9015. description: The name of the Secret resource being referred to.
  9016. maxLength: 253
  9017. minLength: 1
  9018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9019. type: string
  9020. namespace:
  9021. description: |-
  9022. The namespace of the Secret resource being referred to.
  9023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9024. maxLength: 63
  9025. minLength: 1
  9026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9027. type: string
  9028. type: object
  9029. accessType:
  9030. description: |-
  9031. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9032. In some instances, `key` is a required field.
  9033. properties:
  9034. key:
  9035. description: |-
  9036. A key in the referenced Secret.
  9037. Some instances of this field may be defaulted, in others it may be required.
  9038. maxLength: 253
  9039. minLength: 1
  9040. pattern: ^[-._a-zA-Z0-9]+$
  9041. type: string
  9042. name:
  9043. description: The name of the Secret resource being referred to.
  9044. maxLength: 253
  9045. minLength: 1
  9046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9047. type: string
  9048. namespace:
  9049. description: |-
  9050. The namespace of the Secret resource being referred to.
  9051. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9052. maxLength: 63
  9053. minLength: 1
  9054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9055. type: string
  9056. type: object
  9057. accessTypeParam:
  9058. description: |-
  9059. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9060. In some instances, `key` is a required field.
  9061. properties:
  9062. key:
  9063. description: |-
  9064. A key in the referenced Secret.
  9065. Some instances of this field may be defaulted, in others it may be required.
  9066. maxLength: 253
  9067. minLength: 1
  9068. pattern: ^[-._a-zA-Z0-9]+$
  9069. type: string
  9070. name:
  9071. description: The name of the Secret resource being referred to.
  9072. maxLength: 253
  9073. minLength: 1
  9074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9075. type: string
  9076. namespace:
  9077. description: |-
  9078. The namespace of the Secret resource being referred to.
  9079. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9080. maxLength: 63
  9081. minLength: 1
  9082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9083. type: string
  9084. type: object
  9085. type: object
  9086. type: object
  9087. caBundle:
  9088. description: |-
  9089. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  9090. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  9091. are used to validate the TLS connection.
  9092. format: byte
  9093. type: string
  9094. caProvider:
  9095. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  9096. properties:
  9097. key:
  9098. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9099. maxLength: 253
  9100. minLength: 1
  9101. pattern: ^[-._a-zA-Z0-9]+$
  9102. type: string
  9103. name:
  9104. description: The name of the object located at the provider type.
  9105. maxLength: 253
  9106. minLength: 1
  9107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9108. type: string
  9109. namespace:
  9110. description: |-
  9111. The namespace the Provider type is in.
  9112. Can only be defined when used in a ClusterSecretStore.
  9113. maxLength: 63
  9114. minLength: 1
  9115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9116. type: string
  9117. type:
  9118. description: The type of provider to use such as "Secret", or "ConfigMap".
  9119. enum:
  9120. - Secret
  9121. - ConfigMap
  9122. type: string
  9123. required:
  9124. - name
  9125. - type
  9126. type: object
  9127. required:
  9128. - akeylessGWApiURL
  9129. - authSecretRef
  9130. type: object
  9131. alibaba:
  9132. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  9133. properties:
  9134. auth:
  9135. description: AlibabaAuth contains a secretRef for credentials.
  9136. properties:
  9137. rrsa:
  9138. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  9139. properties:
  9140. oidcProviderArn:
  9141. type: string
  9142. oidcTokenFilePath:
  9143. type: string
  9144. roleArn:
  9145. type: string
  9146. sessionName:
  9147. type: string
  9148. required:
  9149. - oidcProviderArn
  9150. - oidcTokenFilePath
  9151. - roleArn
  9152. - sessionName
  9153. type: object
  9154. secretRef:
  9155. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  9156. properties:
  9157. accessKeyIDSecretRef:
  9158. description: The AccessKeyID is used for authentication
  9159. properties:
  9160. key:
  9161. description: |-
  9162. A key in the referenced Secret.
  9163. Some instances of this field may be defaulted, in others it may be required.
  9164. maxLength: 253
  9165. minLength: 1
  9166. pattern: ^[-._a-zA-Z0-9]+$
  9167. type: string
  9168. name:
  9169. description: The name of the Secret resource being referred to.
  9170. maxLength: 253
  9171. minLength: 1
  9172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9173. type: string
  9174. namespace:
  9175. description: |-
  9176. The namespace of the Secret resource being referred to.
  9177. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9178. maxLength: 63
  9179. minLength: 1
  9180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9181. type: string
  9182. type: object
  9183. accessKeySecretSecretRef:
  9184. description: The AccessKeySecret is used for authentication
  9185. properties:
  9186. key:
  9187. description: |-
  9188. A key in the referenced Secret.
  9189. Some instances of this field may be defaulted, in others it may be required.
  9190. maxLength: 253
  9191. minLength: 1
  9192. pattern: ^[-._a-zA-Z0-9]+$
  9193. type: string
  9194. name:
  9195. description: The name of the Secret resource being referred to.
  9196. maxLength: 253
  9197. minLength: 1
  9198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9199. type: string
  9200. namespace:
  9201. description: |-
  9202. The namespace of the Secret resource being referred to.
  9203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9204. maxLength: 63
  9205. minLength: 1
  9206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9207. type: string
  9208. type: object
  9209. required:
  9210. - accessKeyIDSecretRef
  9211. - accessKeySecretSecretRef
  9212. type: object
  9213. type: object
  9214. regionID:
  9215. description: Alibaba Region to be used for the provider
  9216. type: string
  9217. required:
  9218. - auth
  9219. - regionID
  9220. type: object
  9221. aws:
  9222. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  9223. properties:
  9224. additionalRoles:
  9225. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  9226. items:
  9227. type: string
  9228. type: array
  9229. auth:
  9230. description: |-
  9231. Auth defines the information necessary to authenticate against AWS
  9232. if not set aws sdk will infer credentials from your environment
  9233. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  9234. properties:
  9235. jwt:
  9236. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  9237. properties:
  9238. serviceAccountRef:
  9239. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  9240. properties:
  9241. audiences:
  9242. description: |-
  9243. Audience specifies the `aud` claim for the service account token
  9244. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9245. then this audiences will be appended to the list
  9246. items:
  9247. type: string
  9248. type: array
  9249. name:
  9250. description: The name of the ServiceAccount resource being referred to.
  9251. maxLength: 253
  9252. minLength: 1
  9253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9254. type: string
  9255. namespace:
  9256. description: |-
  9257. Namespace of the resource being referred to.
  9258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9259. maxLength: 63
  9260. minLength: 1
  9261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9262. type: string
  9263. required:
  9264. - name
  9265. type: object
  9266. type: object
  9267. secretRef:
  9268. description: |-
  9269. AWSAuthSecretRef holds secret references for AWS credentials
  9270. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  9271. properties:
  9272. accessKeyIDSecretRef:
  9273. description: The AccessKeyID is used for authentication
  9274. properties:
  9275. key:
  9276. description: |-
  9277. A key in the referenced Secret.
  9278. Some instances of this field may be defaulted, in others it may be required.
  9279. maxLength: 253
  9280. minLength: 1
  9281. pattern: ^[-._a-zA-Z0-9]+$
  9282. type: string
  9283. name:
  9284. description: The name of the Secret resource being referred to.
  9285. maxLength: 253
  9286. minLength: 1
  9287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9288. type: string
  9289. namespace:
  9290. description: |-
  9291. The namespace of the Secret resource being referred to.
  9292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9293. maxLength: 63
  9294. minLength: 1
  9295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9296. type: string
  9297. type: object
  9298. secretAccessKeySecretRef:
  9299. description: The SecretAccessKey is used for authentication
  9300. properties:
  9301. key:
  9302. description: |-
  9303. A key in the referenced Secret.
  9304. Some instances of this field may be defaulted, in others it may be required.
  9305. maxLength: 253
  9306. minLength: 1
  9307. pattern: ^[-._a-zA-Z0-9]+$
  9308. type: string
  9309. name:
  9310. description: The name of the Secret resource being referred to.
  9311. maxLength: 253
  9312. minLength: 1
  9313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9314. type: string
  9315. namespace:
  9316. description: |-
  9317. The namespace of the Secret resource being referred to.
  9318. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9319. maxLength: 63
  9320. minLength: 1
  9321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9322. type: string
  9323. type: object
  9324. sessionTokenSecretRef:
  9325. description: |-
  9326. The SessionToken used for authentication
  9327. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9328. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9329. properties:
  9330. key:
  9331. description: |-
  9332. A key in the referenced Secret.
  9333. Some instances of this field may be defaulted, in others it may be required.
  9334. maxLength: 253
  9335. minLength: 1
  9336. pattern: ^[-._a-zA-Z0-9]+$
  9337. type: string
  9338. name:
  9339. description: The name of the Secret resource being referred to.
  9340. maxLength: 253
  9341. minLength: 1
  9342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9343. type: string
  9344. namespace:
  9345. description: |-
  9346. The namespace of the Secret resource being referred to.
  9347. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9348. maxLength: 63
  9349. minLength: 1
  9350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9351. type: string
  9352. type: object
  9353. type: object
  9354. type: object
  9355. externalID:
  9356. description: AWS External ID set on assumed IAM roles
  9357. type: string
  9358. prefix:
  9359. description: Prefix adds a prefix to all retrieved values.
  9360. type: string
  9361. region:
  9362. description: AWS Region to be used for the provider
  9363. type: string
  9364. role:
  9365. description: Role is a Role ARN which the provider will assume
  9366. type: string
  9367. secretsManager:
  9368. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  9369. properties:
  9370. forceDeleteWithoutRecovery:
  9371. description: |-
  9372. Specifies whether to delete the secret without any recovery window. You
  9373. can't use both this parameter and RecoveryWindowInDays in the same call.
  9374. If you don't use either, then by default Secrets Manager uses a 30 day
  9375. recovery window.
  9376. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  9377. type: boolean
  9378. recoveryWindowInDays:
  9379. description: |-
  9380. The number of days from 7 to 30 that Secrets Manager waits before
  9381. permanently deleting the secret. You can't use both this parameter and
  9382. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  9383. then by default Secrets Manager uses a 30 day recovery window.
  9384. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  9385. format: int64
  9386. type: integer
  9387. type: object
  9388. service:
  9389. description: Service defines which service should be used to fetch the secrets
  9390. enum:
  9391. - SecretsManager
  9392. - ParameterStore
  9393. type: string
  9394. sessionTags:
  9395. description: AWS STS assume role session tags
  9396. items:
  9397. description: Tag defines a tag key and value for AWS resources.
  9398. properties:
  9399. key:
  9400. type: string
  9401. value:
  9402. type: string
  9403. required:
  9404. - key
  9405. - value
  9406. type: object
  9407. type: array
  9408. transitiveTagKeys:
  9409. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9410. items:
  9411. type: string
  9412. type: array
  9413. required:
  9414. - region
  9415. - service
  9416. type: object
  9417. azurekv:
  9418. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9419. properties:
  9420. authSecretRef:
  9421. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9422. properties:
  9423. clientCertificate:
  9424. description: The Azure ClientCertificate of the service principle used for authentication.
  9425. properties:
  9426. key:
  9427. description: |-
  9428. A key in the referenced Secret.
  9429. Some instances of this field may be defaulted, in others it may be required.
  9430. maxLength: 253
  9431. minLength: 1
  9432. pattern: ^[-._a-zA-Z0-9]+$
  9433. type: string
  9434. name:
  9435. description: The name of the Secret resource being referred to.
  9436. maxLength: 253
  9437. minLength: 1
  9438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9439. type: string
  9440. namespace:
  9441. description: |-
  9442. The namespace of the Secret resource being referred to.
  9443. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9444. maxLength: 63
  9445. minLength: 1
  9446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9447. type: string
  9448. type: object
  9449. clientId:
  9450. description: The Azure clientId of the service principle or managed identity used for authentication.
  9451. properties:
  9452. key:
  9453. description: |-
  9454. A key in the referenced Secret.
  9455. Some instances of this field may be defaulted, in others it may be required.
  9456. maxLength: 253
  9457. minLength: 1
  9458. pattern: ^[-._a-zA-Z0-9]+$
  9459. type: string
  9460. name:
  9461. description: The name of the Secret resource being referred to.
  9462. maxLength: 253
  9463. minLength: 1
  9464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9465. type: string
  9466. namespace:
  9467. description: |-
  9468. The namespace of the Secret resource being referred to.
  9469. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9470. maxLength: 63
  9471. minLength: 1
  9472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9473. type: string
  9474. type: object
  9475. clientSecret:
  9476. description: The Azure ClientSecret of the service principle used for authentication.
  9477. properties:
  9478. key:
  9479. description: |-
  9480. A key in the referenced Secret.
  9481. Some instances of this field may be defaulted, in others it may be required.
  9482. maxLength: 253
  9483. minLength: 1
  9484. pattern: ^[-._a-zA-Z0-9]+$
  9485. type: string
  9486. name:
  9487. description: The name of the Secret resource being referred to.
  9488. maxLength: 253
  9489. minLength: 1
  9490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9491. type: string
  9492. namespace:
  9493. description: |-
  9494. The namespace of the Secret resource being referred to.
  9495. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9496. maxLength: 63
  9497. minLength: 1
  9498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9499. type: string
  9500. type: object
  9501. tenantId:
  9502. description: The Azure tenantId of the managed identity used for authentication.
  9503. properties:
  9504. key:
  9505. description: |-
  9506. A key in the referenced Secret.
  9507. Some instances of this field may be defaulted, in others it may be required.
  9508. maxLength: 253
  9509. minLength: 1
  9510. pattern: ^[-._a-zA-Z0-9]+$
  9511. type: string
  9512. name:
  9513. description: The name of the Secret resource being referred to.
  9514. maxLength: 253
  9515. minLength: 1
  9516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9517. type: string
  9518. namespace:
  9519. description: |-
  9520. The namespace of the Secret resource being referred to.
  9521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9522. maxLength: 63
  9523. minLength: 1
  9524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9525. type: string
  9526. type: object
  9527. type: object
  9528. authType:
  9529. default: ServicePrincipal
  9530. description: |-
  9531. Auth type defines how to authenticate to the keyvault service.
  9532. Valid values are:
  9533. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9534. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9535. enum:
  9536. - ServicePrincipal
  9537. - ManagedIdentity
  9538. - WorkloadIdentity
  9539. type: string
  9540. environmentType:
  9541. default: PublicCloud
  9542. description: |-
  9543. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9544. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9545. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9546. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9547. enum:
  9548. - PublicCloud
  9549. - USGovernmentCloud
  9550. - ChinaCloud
  9551. - GermanCloud
  9552. type: string
  9553. identityId:
  9554. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9555. type: string
  9556. serviceAccountRef:
  9557. description: |-
  9558. ServiceAccountRef specified the service account
  9559. that should be used when authenticating with WorkloadIdentity.
  9560. properties:
  9561. audiences:
  9562. description: |-
  9563. Audience specifies the `aud` claim for the service account token
  9564. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9565. then this audiences will be appended to the list
  9566. items:
  9567. type: string
  9568. type: array
  9569. name:
  9570. description: The name of the ServiceAccount resource being referred to.
  9571. maxLength: 253
  9572. minLength: 1
  9573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9574. type: string
  9575. namespace:
  9576. description: |-
  9577. Namespace of the resource being referred to.
  9578. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9579. maxLength: 63
  9580. minLength: 1
  9581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9582. type: string
  9583. required:
  9584. - name
  9585. type: object
  9586. tenantId:
  9587. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9588. type: string
  9589. vaultUrl:
  9590. description: Vault Url from which the secrets to be fetched from.
  9591. type: string
  9592. required:
  9593. - vaultUrl
  9594. type: object
  9595. beyondtrust:
  9596. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9597. properties:
  9598. auth:
  9599. description: Auth configures how the operator authenticates with Beyondtrust.
  9600. properties:
  9601. apiKey:
  9602. description: APIKey If not provided then ClientID/ClientSecret become required.
  9603. properties:
  9604. secretRef:
  9605. description: SecretRef references a key in a secret that will be used as value.
  9606. properties:
  9607. key:
  9608. description: |-
  9609. A key in the referenced Secret.
  9610. Some instances of this field may be defaulted, in others it may be required.
  9611. maxLength: 253
  9612. minLength: 1
  9613. pattern: ^[-._a-zA-Z0-9]+$
  9614. type: string
  9615. name:
  9616. description: The name of the Secret resource being referred to.
  9617. maxLength: 253
  9618. minLength: 1
  9619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9620. type: string
  9621. namespace:
  9622. description: |-
  9623. The namespace of the Secret resource being referred to.
  9624. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9625. maxLength: 63
  9626. minLength: 1
  9627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9628. type: string
  9629. type: object
  9630. value:
  9631. description: Value can be specified directly to set a value without using a secret.
  9632. type: string
  9633. type: object
  9634. certificate:
  9635. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9636. properties:
  9637. secretRef:
  9638. description: SecretRef references a key in a secret that will be used as value.
  9639. properties:
  9640. key:
  9641. description: |-
  9642. A key in the referenced Secret.
  9643. Some instances of this field may be defaulted, in others it may be required.
  9644. maxLength: 253
  9645. minLength: 1
  9646. pattern: ^[-._a-zA-Z0-9]+$
  9647. type: string
  9648. name:
  9649. description: The name of the Secret resource being referred to.
  9650. maxLength: 253
  9651. minLength: 1
  9652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9653. type: string
  9654. namespace:
  9655. description: |-
  9656. The namespace of the Secret resource being referred to.
  9657. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9658. maxLength: 63
  9659. minLength: 1
  9660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9661. type: string
  9662. type: object
  9663. value:
  9664. description: Value can be specified directly to set a value without using a secret.
  9665. type: string
  9666. type: object
  9667. certificateKey:
  9668. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9669. properties:
  9670. secretRef:
  9671. description: SecretRef references a key in a secret that will be used as value.
  9672. properties:
  9673. key:
  9674. description: |-
  9675. A key in the referenced Secret.
  9676. Some instances of this field may be defaulted, in others it may be required.
  9677. maxLength: 253
  9678. minLength: 1
  9679. pattern: ^[-._a-zA-Z0-9]+$
  9680. type: string
  9681. name:
  9682. description: The name of the Secret resource being referred to.
  9683. maxLength: 253
  9684. minLength: 1
  9685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9686. type: string
  9687. namespace:
  9688. description: |-
  9689. The namespace of the Secret resource being referred to.
  9690. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9691. maxLength: 63
  9692. minLength: 1
  9693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9694. type: string
  9695. type: object
  9696. value:
  9697. description: Value can be specified directly to set a value without using a secret.
  9698. type: string
  9699. type: object
  9700. clientId:
  9701. description: ClientID is the API OAuth Client ID.
  9702. properties:
  9703. secretRef:
  9704. description: SecretRef references a key in a secret that will be used as value.
  9705. properties:
  9706. key:
  9707. description: |-
  9708. A key in the referenced Secret.
  9709. Some instances of this field may be defaulted, in others it may be required.
  9710. maxLength: 253
  9711. minLength: 1
  9712. pattern: ^[-._a-zA-Z0-9]+$
  9713. type: string
  9714. name:
  9715. description: The name of the Secret resource being referred to.
  9716. maxLength: 253
  9717. minLength: 1
  9718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9719. type: string
  9720. namespace:
  9721. description: |-
  9722. The namespace of the Secret resource being referred to.
  9723. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9724. maxLength: 63
  9725. minLength: 1
  9726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9727. type: string
  9728. type: object
  9729. value:
  9730. description: Value can be specified directly to set a value without using a secret.
  9731. type: string
  9732. type: object
  9733. clientSecret:
  9734. description: ClientSecret is the API OAuth Client Secret.
  9735. properties:
  9736. secretRef:
  9737. description: SecretRef references a key in a secret that will be used as value.
  9738. properties:
  9739. key:
  9740. description: |-
  9741. A key in the referenced Secret.
  9742. Some instances of this field may be defaulted, in others it may be required.
  9743. maxLength: 253
  9744. minLength: 1
  9745. pattern: ^[-._a-zA-Z0-9]+$
  9746. type: string
  9747. name:
  9748. description: The name of the Secret resource being referred to.
  9749. maxLength: 253
  9750. minLength: 1
  9751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9752. type: string
  9753. namespace:
  9754. description: |-
  9755. The namespace of the Secret resource being referred to.
  9756. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9757. maxLength: 63
  9758. minLength: 1
  9759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9760. type: string
  9761. type: object
  9762. value:
  9763. description: Value can be specified directly to set a value without using a secret.
  9764. type: string
  9765. type: object
  9766. type: object
  9767. server:
  9768. description: Auth configures how API server works.
  9769. properties:
  9770. apiUrl:
  9771. type: string
  9772. apiVersion:
  9773. type: string
  9774. clientTimeOutSeconds:
  9775. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9776. type: integer
  9777. decrypt:
  9778. default: true
  9779. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9780. type: boolean
  9781. retrievalType:
  9782. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9783. type: string
  9784. separator:
  9785. description: A character that separates the folder names.
  9786. type: string
  9787. verifyCA:
  9788. type: boolean
  9789. required:
  9790. - apiUrl
  9791. - verifyCA
  9792. type: object
  9793. required:
  9794. - auth
  9795. - server
  9796. type: object
  9797. bitwardensecretsmanager:
  9798. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9799. properties:
  9800. apiURL:
  9801. type: string
  9802. auth:
  9803. description: |-
  9804. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9805. Make sure that the token being used has permissions on the given secret.
  9806. properties:
  9807. secretRef:
  9808. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9809. properties:
  9810. credentials:
  9811. description: AccessToken used for the bitwarden instance.
  9812. properties:
  9813. key:
  9814. description: |-
  9815. A key in the referenced Secret.
  9816. Some instances of this field may be defaulted, in others it may be required.
  9817. maxLength: 253
  9818. minLength: 1
  9819. pattern: ^[-._a-zA-Z0-9]+$
  9820. type: string
  9821. name:
  9822. description: The name of the Secret resource being referred to.
  9823. maxLength: 253
  9824. minLength: 1
  9825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9826. type: string
  9827. namespace:
  9828. description: |-
  9829. The namespace of the Secret resource being referred to.
  9830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9831. maxLength: 63
  9832. minLength: 1
  9833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9834. type: string
  9835. type: object
  9836. required:
  9837. - credentials
  9838. type: object
  9839. required:
  9840. - secretRef
  9841. type: object
  9842. bitwardenServerSDKURL:
  9843. type: string
  9844. caBundle:
  9845. description: |-
  9846. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9847. can be performed.
  9848. type: string
  9849. caProvider:
  9850. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9851. properties:
  9852. key:
  9853. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9854. maxLength: 253
  9855. minLength: 1
  9856. pattern: ^[-._a-zA-Z0-9]+$
  9857. type: string
  9858. name:
  9859. description: The name of the object located at the provider type.
  9860. maxLength: 253
  9861. minLength: 1
  9862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9863. type: string
  9864. namespace:
  9865. description: |-
  9866. The namespace the Provider type is in.
  9867. Can only be defined when used in a ClusterSecretStore.
  9868. maxLength: 63
  9869. minLength: 1
  9870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9871. type: string
  9872. type:
  9873. description: The type of provider to use such as "Secret", or "ConfigMap".
  9874. enum:
  9875. - Secret
  9876. - ConfigMap
  9877. type: string
  9878. required:
  9879. - name
  9880. - type
  9881. type: object
  9882. identityURL:
  9883. type: string
  9884. organizationID:
  9885. description: OrganizationID determines which organization this secret store manages.
  9886. type: string
  9887. projectID:
  9888. description: ProjectID determines which project this secret store manages.
  9889. type: string
  9890. required:
  9891. - auth
  9892. - organizationID
  9893. - projectID
  9894. type: object
  9895. chef:
  9896. description: Chef configures this store to sync secrets with chef server
  9897. properties:
  9898. auth:
  9899. description: Auth defines the information necessary to authenticate against chef Server
  9900. properties:
  9901. secretRef:
  9902. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9903. properties:
  9904. privateKeySecretRef:
  9905. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9906. properties:
  9907. key:
  9908. description: |-
  9909. A key in the referenced Secret.
  9910. Some instances of this field may be defaulted, in others it may be required.
  9911. maxLength: 253
  9912. minLength: 1
  9913. pattern: ^[-._a-zA-Z0-9]+$
  9914. type: string
  9915. name:
  9916. description: The name of the Secret resource being referred to.
  9917. maxLength: 253
  9918. minLength: 1
  9919. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9920. type: string
  9921. namespace:
  9922. description: |-
  9923. The namespace of the Secret resource being referred to.
  9924. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9925. maxLength: 63
  9926. minLength: 1
  9927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9928. type: string
  9929. type: object
  9930. required:
  9931. - privateKeySecretRef
  9932. type: object
  9933. required:
  9934. - secretRef
  9935. type: object
  9936. serverUrl:
  9937. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9938. type: string
  9939. username:
  9940. description: UserName should be the user ID on the chef server
  9941. type: string
  9942. required:
  9943. - auth
  9944. - serverUrl
  9945. - username
  9946. type: object
  9947. cloudrusm:
  9948. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9949. properties:
  9950. auth:
  9951. description: CSMAuth contains a secretRef for credentials.
  9952. properties:
  9953. secretRef:
  9954. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9955. properties:
  9956. accessKeyIDSecretRef:
  9957. description: The AccessKeyID is used for authentication
  9958. properties:
  9959. key:
  9960. description: |-
  9961. A key in the referenced Secret.
  9962. Some instances of this field may be defaulted, in others it may be required.
  9963. maxLength: 253
  9964. minLength: 1
  9965. pattern: ^[-._a-zA-Z0-9]+$
  9966. type: string
  9967. name:
  9968. description: The name of the Secret resource being referred to.
  9969. maxLength: 253
  9970. minLength: 1
  9971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9972. type: string
  9973. namespace:
  9974. description: |-
  9975. The namespace of the Secret resource being referred to.
  9976. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9977. maxLength: 63
  9978. minLength: 1
  9979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9980. type: string
  9981. type: object
  9982. accessKeySecretSecretRef:
  9983. description: The AccessKeySecret is used for authentication
  9984. properties:
  9985. key:
  9986. description: |-
  9987. A key in the referenced Secret.
  9988. Some instances of this field may be defaulted, in others it may be required.
  9989. maxLength: 253
  9990. minLength: 1
  9991. pattern: ^[-._a-zA-Z0-9]+$
  9992. type: string
  9993. name:
  9994. description: The name of the Secret resource being referred to.
  9995. maxLength: 253
  9996. minLength: 1
  9997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9998. type: string
  9999. namespace:
  10000. description: |-
  10001. The namespace of the Secret resource being referred to.
  10002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10003. maxLength: 63
  10004. minLength: 1
  10005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10006. type: string
  10007. type: object
  10008. required:
  10009. - accessKeyIDSecretRef
  10010. - accessKeySecretSecretRef
  10011. type: object
  10012. type: object
  10013. projectID:
  10014. description: ProjectID is the project, which the secrets are stored in.
  10015. type: string
  10016. required:
  10017. - auth
  10018. type: object
  10019. conjur:
  10020. description: Conjur configures this store to sync secrets using conjur provider
  10021. properties:
  10022. auth:
  10023. description: Defines authentication settings for connecting to Conjur.
  10024. properties:
  10025. apikey:
  10026. description: Authenticates with Conjur using an API key.
  10027. properties:
  10028. account:
  10029. description: Account is the Conjur organization account name.
  10030. type: string
  10031. apiKeyRef:
  10032. description: |-
  10033. A reference to a specific 'key' containing the Conjur API key
  10034. within a Secret resource. In some instances, `key` is a required field.
  10035. properties:
  10036. key:
  10037. description: |-
  10038. A key in the referenced Secret.
  10039. Some instances of this field may be defaulted, in others it may be required.
  10040. maxLength: 253
  10041. minLength: 1
  10042. pattern: ^[-._a-zA-Z0-9]+$
  10043. type: string
  10044. name:
  10045. description: The name of the Secret resource being referred to.
  10046. maxLength: 253
  10047. minLength: 1
  10048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10049. type: string
  10050. namespace:
  10051. description: |-
  10052. The namespace of the Secret resource being referred to.
  10053. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10054. maxLength: 63
  10055. minLength: 1
  10056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10057. type: string
  10058. type: object
  10059. userRef:
  10060. description: |-
  10061. A reference to a specific 'key' containing the Conjur username
  10062. within a Secret resource. In some instances, `key` is a required field.
  10063. properties:
  10064. key:
  10065. description: |-
  10066. A key in the referenced Secret.
  10067. Some instances of this field may be defaulted, in others it may be required.
  10068. maxLength: 253
  10069. minLength: 1
  10070. pattern: ^[-._a-zA-Z0-9]+$
  10071. type: string
  10072. name:
  10073. description: The name of the Secret resource being referred to.
  10074. maxLength: 253
  10075. minLength: 1
  10076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10077. type: string
  10078. namespace:
  10079. description: |-
  10080. The namespace of the Secret resource being referred to.
  10081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10082. maxLength: 63
  10083. minLength: 1
  10084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10085. type: string
  10086. type: object
  10087. required:
  10088. - account
  10089. - apiKeyRef
  10090. - userRef
  10091. type: object
  10092. jwt:
  10093. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  10094. properties:
  10095. account:
  10096. description: Account is the Conjur organization account name.
  10097. type: string
  10098. hostId:
  10099. description: |-
  10100. Optional HostID for JWT authentication. This may be used depending
  10101. on how the Conjur JWT authenticator policy is configured.
  10102. type: string
  10103. secretRef:
  10104. description: |-
  10105. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  10106. authenticate with Conjur using the JWT authentication method.
  10107. properties:
  10108. key:
  10109. description: |-
  10110. A key in the referenced Secret.
  10111. Some instances of this field may be defaulted, in others it may be required.
  10112. maxLength: 253
  10113. minLength: 1
  10114. pattern: ^[-._a-zA-Z0-9]+$
  10115. type: string
  10116. name:
  10117. description: The name of the Secret resource being referred to.
  10118. maxLength: 253
  10119. minLength: 1
  10120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10121. type: string
  10122. namespace:
  10123. description: |-
  10124. The namespace of the Secret resource being referred to.
  10125. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10126. maxLength: 63
  10127. minLength: 1
  10128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10129. type: string
  10130. type: object
  10131. serviceAccountRef:
  10132. description: |-
  10133. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  10134. a token for with the `TokenRequest` API.
  10135. properties:
  10136. audiences:
  10137. description: |-
  10138. Audience specifies the `aud` claim for the service account token
  10139. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10140. then this audiences will be appended to the list
  10141. items:
  10142. type: string
  10143. type: array
  10144. name:
  10145. description: The name of the ServiceAccount resource being referred to.
  10146. maxLength: 253
  10147. minLength: 1
  10148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10149. type: string
  10150. namespace:
  10151. description: |-
  10152. Namespace of the resource being referred to.
  10153. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10154. maxLength: 63
  10155. minLength: 1
  10156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10157. type: string
  10158. required:
  10159. - name
  10160. type: object
  10161. serviceID:
  10162. description: The conjur authn jwt webservice id
  10163. type: string
  10164. required:
  10165. - account
  10166. - serviceID
  10167. type: object
  10168. type: object
  10169. caBundle:
  10170. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  10171. type: string
  10172. caProvider:
  10173. description: |-
  10174. Used to provide custom certificate authority (CA) certificates
  10175. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  10176. that contains a PEM-encoded certificate.
  10177. properties:
  10178. key:
  10179. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10180. maxLength: 253
  10181. minLength: 1
  10182. pattern: ^[-._a-zA-Z0-9]+$
  10183. type: string
  10184. name:
  10185. description: The name of the object located at the provider type.
  10186. maxLength: 253
  10187. minLength: 1
  10188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10189. type: string
  10190. namespace:
  10191. description: |-
  10192. The namespace the Provider type is in.
  10193. Can only be defined when used in a ClusterSecretStore.
  10194. maxLength: 63
  10195. minLength: 1
  10196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10197. type: string
  10198. type:
  10199. description: The type of provider to use such as "Secret", or "ConfigMap".
  10200. enum:
  10201. - Secret
  10202. - ConfigMap
  10203. type: string
  10204. required:
  10205. - name
  10206. - type
  10207. type: object
  10208. url:
  10209. description: URL is the endpoint of the Conjur instance.
  10210. type: string
  10211. required:
  10212. - auth
  10213. - url
  10214. type: object
  10215. delinea:
  10216. description: |-
  10217. Delinea DevOps Secrets Vault
  10218. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  10219. properties:
  10220. clientId:
  10221. description: ClientID is the non-secret part of the credential.
  10222. properties:
  10223. secretRef:
  10224. description: SecretRef references a key in a secret that will be used as value.
  10225. properties:
  10226. key:
  10227. description: |-
  10228. A key in the referenced Secret.
  10229. Some instances of this field may be defaulted, in others it may be required.
  10230. maxLength: 253
  10231. minLength: 1
  10232. pattern: ^[-._a-zA-Z0-9]+$
  10233. type: string
  10234. name:
  10235. description: The name of the Secret resource being referred to.
  10236. maxLength: 253
  10237. minLength: 1
  10238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10239. type: string
  10240. namespace:
  10241. description: |-
  10242. The namespace of the Secret resource being referred to.
  10243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10244. maxLength: 63
  10245. minLength: 1
  10246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10247. type: string
  10248. type: object
  10249. value:
  10250. description: Value can be specified directly to set a value without using a secret.
  10251. type: string
  10252. type: object
  10253. clientSecret:
  10254. description: ClientSecret is the secret part of the credential.
  10255. properties:
  10256. secretRef:
  10257. description: SecretRef references a key in a secret that will be used as value.
  10258. properties:
  10259. key:
  10260. description: |-
  10261. A key in the referenced Secret.
  10262. Some instances of this field may be defaulted, in others it may be required.
  10263. maxLength: 253
  10264. minLength: 1
  10265. pattern: ^[-._a-zA-Z0-9]+$
  10266. type: string
  10267. name:
  10268. description: The name of the Secret resource being referred to.
  10269. maxLength: 253
  10270. minLength: 1
  10271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10272. type: string
  10273. namespace:
  10274. description: |-
  10275. The namespace of the Secret resource being referred to.
  10276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10277. maxLength: 63
  10278. minLength: 1
  10279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10280. type: string
  10281. type: object
  10282. value:
  10283. description: Value can be specified directly to set a value without using a secret.
  10284. type: string
  10285. type: object
  10286. tenant:
  10287. description: Tenant is the chosen hostname / site name.
  10288. type: string
  10289. tld:
  10290. description: |-
  10291. TLD is based on the server location that was chosen during provisioning.
  10292. If unset, defaults to "com".
  10293. type: string
  10294. urlTemplate:
  10295. description: |-
  10296. URLTemplate
  10297. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  10298. type: string
  10299. required:
  10300. - clientId
  10301. - clientSecret
  10302. - tenant
  10303. type: object
  10304. device42:
  10305. description: Device42 configures this store to sync secrets using the Device42 provider
  10306. properties:
  10307. auth:
  10308. description: Auth configures how secret-manager authenticates with a Device42 instance.
  10309. properties:
  10310. secretRef:
  10311. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  10312. properties:
  10313. credentials:
  10314. description: Username / Password is used for authentication.
  10315. properties:
  10316. key:
  10317. description: |-
  10318. A key in the referenced Secret.
  10319. Some instances of this field may be defaulted, in others it may be required.
  10320. maxLength: 253
  10321. minLength: 1
  10322. pattern: ^[-._a-zA-Z0-9]+$
  10323. type: string
  10324. name:
  10325. description: The name of the Secret resource being referred to.
  10326. maxLength: 253
  10327. minLength: 1
  10328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10329. type: string
  10330. namespace:
  10331. description: |-
  10332. The namespace of the Secret resource being referred to.
  10333. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10334. maxLength: 63
  10335. minLength: 1
  10336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10337. type: string
  10338. type: object
  10339. type: object
  10340. required:
  10341. - secretRef
  10342. type: object
  10343. host:
  10344. description: URL configures the Device42 instance URL.
  10345. type: string
  10346. required:
  10347. - auth
  10348. - host
  10349. type: object
  10350. doppler:
  10351. description: Doppler configures this store to sync secrets using the Doppler provider
  10352. properties:
  10353. auth:
  10354. description: Auth configures how the Operator authenticates with the Doppler API
  10355. properties:
  10356. secretRef:
  10357. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  10358. properties:
  10359. dopplerToken:
  10360. description: |-
  10361. The DopplerToken is used for authentication.
  10362. See https://docs.doppler.com/reference/api#authentication for auth token types.
  10363. The Key attribute defaults to dopplerToken if not specified.
  10364. properties:
  10365. key:
  10366. description: |-
  10367. A key in the referenced Secret.
  10368. Some instances of this field may be defaulted, in others it may be required.
  10369. maxLength: 253
  10370. minLength: 1
  10371. pattern: ^[-._a-zA-Z0-9]+$
  10372. type: string
  10373. name:
  10374. description: The name of the Secret resource being referred to.
  10375. maxLength: 253
  10376. minLength: 1
  10377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10378. type: string
  10379. namespace:
  10380. description: |-
  10381. The namespace of the Secret resource being referred to.
  10382. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10383. maxLength: 63
  10384. minLength: 1
  10385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10386. type: string
  10387. type: object
  10388. required:
  10389. - dopplerToken
  10390. type: object
  10391. required:
  10392. - secretRef
  10393. type: object
  10394. config:
  10395. description: Doppler config (required if not using a Service Token)
  10396. type: string
  10397. format:
  10398. description: Format enables the downloading of secrets as a file (string)
  10399. enum:
  10400. - json
  10401. - dotnet-json
  10402. - env
  10403. - yaml
  10404. - docker
  10405. type: string
  10406. nameTransformer:
  10407. description: Environment variable compatible name transforms that change secret names to a different format
  10408. enum:
  10409. - upper-camel
  10410. - camel
  10411. - lower-snake
  10412. - tf-var
  10413. - dotnet-env
  10414. - lower-kebab
  10415. type: string
  10416. project:
  10417. description: Doppler project (required if not using a Service Token)
  10418. type: string
  10419. required:
  10420. - auth
  10421. type: object
  10422. fake:
  10423. description: Fake configures a store with static key/value pairs
  10424. properties:
  10425. data:
  10426. items:
  10427. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10428. properties:
  10429. key:
  10430. type: string
  10431. value:
  10432. type: string
  10433. version:
  10434. type: string
  10435. required:
  10436. - key
  10437. - value
  10438. type: object
  10439. type: array
  10440. required:
  10441. - data
  10442. type: object
  10443. fortanix:
  10444. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10445. properties:
  10446. apiKey:
  10447. description: APIKey is the API token to access SDKMS Applications.
  10448. properties:
  10449. secretRef:
  10450. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10451. properties:
  10452. key:
  10453. description: |-
  10454. A key in the referenced Secret.
  10455. Some instances of this field may be defaulted, in others it may be required.
  10456. maxLength: 253
  10457. minLength: 1
  10458. pattern: ^[-._a-zA-Z0-9]+$
  10459. type: string
  10460. name:
  10461. description: The name of the Secret resource being referred to.
  10462. maxLength: 253
  10463. minLength: 1
  10464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10465. type: string
  10466. namespace:
  10467. description: |-
  10468. The namespace of the Secret resource being referred to.
  10469. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10470. maxLength: 63
  10471. minLength: 1
  10472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10473. type: string
  10474. type: object
  10475. type: object
  10476. apiUrl:
  10477. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10478. type: string
  10479. type: object
  10480. gcpsm:
  10481. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10482. properties:
  10483. auth:
  10484. description: Auth defines the information necessary to authenticate against GCP
  10485. properties:
  10486. secretRef:
  10487. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10488. properties:
  10489. secretAccessKeySecretRef:
  10490. description: The SecretAccessKey is used for authentication
  10491. properties:
  10492. key:
  10493. description: |-
  10494. A key in the referenced Secret.
  10495. Some instances of this field may be defaulted, in others it may be required.
  10496. maxLength: 253
  10497. minLength: 1
  10498. pattern: ^[-._a-zA-Z0-9]+$
  10499. type: string
  10500. name:
  10501. description: The name of the Secret resource being referred to.
  10502. maxLength: 253
  10503. minLength: 1
  10504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10505. type: string
  10506. namespace:
  10507. description: |-
  10508. The namespace of the Secret resource being referred to.
  10509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10510. maxLength: 63
  10511. minLength: 1
  10512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10513. type: string
  10514. type: object
  10515. type: object
  10516. workloadIdentity:
  10517. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10518. properties:
  10519. clusterLocation:
  10520. description: |-
  10521. ClusterLocation is the location of the cluster
  10522. If not specified, it fetches information from the metadata server
  10523. type: string
  10524. clusterName:
  10525. description: |-
  10526. ClusterName is the name of the cluster
  10527. If not specified, it fetches information from the metadata server
  10528. type: string
  10529. clusterProjectID:
  10530. description: |-
  10531. ClusterProjectID is the project ID of the cluster
  10532. If not specified, it fetches information from the metadata server
  10533. type: string
  10534. serviceAccountRef:
  10535. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10536. properties:
  10537. audiences:
  10538. description: |-
  10539. Audience specifies the `aud` claim for the service account token
  10540. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10541. then this audiences will be appended to the list
  10542. items:
  10543. type: string
  10544. type: array
  10545. name:
  10546. description: The name of the ServiceAccount resource being referred to.
  10547. maxLength: 253
  10548. minLength: 1
  10549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10550. type: string
  10551. namespace:
  10552. description: |-
  10553. Namespace of the resource being referred to.
  10554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10555. maxLength: 63
  10556. minLength: 1
  10557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10558. type: string
  10559. required:
  10560. - name
  10561. type: object
  10562. required:
  10563. - serviceAccountRef
  10564. type: object
  10565. type: object
  10566. location:
  10567. description: Location optionally defines a location for a secret
  10568. type: string
  10569. projectID:
  10570. description: ProjectID project where secret is located
  10571. type: string
  10572. type: object
  10573. github:
  10574. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10575. properties:
  10576. appID:
  10577. description: appID specifies the Github APP that will be used to authenticate the client
  10578. format: int64
  10579. type: integer
  10580. auth:
  10581. description: auth configures how secret-manager authenticates with a Github instance.
  10582. properties:
  10583. privateKey:
  10584. description: |-
  10585. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10586. In some instances, `key` is a required field.
  10587. properties:
  10588. key:
  10589. description: |-
  10590. A key in the referenced Secret.
  10591. Some instances of this field may be defaulted, in others it may be required.
  10592. maxLength: 253
  10593. minLength: 1
  10594. pattern: ^[-._a-zA-Z0-9]+$
  10595. type: string
  10596. name:
  10597. description: The name of the Secret resource being referred to.
  10598. maxLength: 253
  10599. minLength: 1
  10600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10601. type: string
  10602. namespace:
  10603. description: |-
  10604. The namespace of the Secret resource being referred to.
  10605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10606. maxLength: 63
  10607. minLength: 1
  10608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10609. type: string
  10610. type: object
  10611. required:
  10612. - privateKey
  10613. type: object
  10614. environment:
  10615. description: environment will be used to fetch secrets from a particular environment within a github repository
  10616. type: string
  10617. installationID:
  10618. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10619. format: int64
  10620. type: integer
  10621. organization:
  10622. description: organization will be used to fetch secrets from the Github organization
  10623. type: string
  10624. repository:
  10625. description: repository will be used to fetch secrets from the Github repository within an organization
  10626. type: string
  10627. uploadURL:
  10628. description: Upload URL for enterprise instances. Default to URL.
  10629. type: string
  10630. url:
  10631. default: https://github.com/
  10632. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10633. type: string
  10634. required:
  10635. - appID
  10636. - auth
  10637. - installationID
  10638. - organization
  10639. type: object
  10640. gitlab:
  10641. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10642. properties:
  10643. auth:
  10644. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10645. properties:
  10646. SecretRef:
  10647. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10648. properties:
  10649. accessToken:
  10650. description: AccessToken is used for authentication.
  10651. properties:
  10652. key:
  10653. description: |-
  10654. A key in the referenced Secret.
  10655. Some instances of this field may be defaulted, in others it may be required.
  10656. maxLength: 253
  10657. minLength: 1
  10658. pattern: ^[-._a-zA-Z0-9]+$
  10659. type: string
  10660. name:
  10661. description: The name of the Secret resource being referred to.
  10662. maxLength: 253
  10663. minLength: 1
  10664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10665. type: string
  10666. namespace:
  10667. description: |-
  10668. The namespace of the Secret resource being referred to.
  10669. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10670. maxLength: 63
  10671. minLength: 1
  10672. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10673. type: string
  10674. type: object
  10675. type: object
  10676. required:
  10677. - SecretRef
  10678. type: object
  10679. caBundle:
  10680. description: |-
  10681. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10682. can be performed.
  10683. format: byte
  10684. type: string
  10685. caProvider:
  10686. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10687. properties:
  10688. key:
  10689. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10690. maxLength: 253
  10691. minLength: 1
  10692. pattern: ^[-._a-zA-Z0-9]+$
  10693. type: string
  10694. name:
  10695. description: The name of the object located at the provider type.
  10696. maxLength: 253
  10697. minLength: 1
  10698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10699. type: string
  10700. namespace:
  10701. description: |-
  10702. The namespace the Provider type is in.
  10703. Can only be defined when used in a ClusterSecretStore.
  10704. maxLength: 63
  10705. minLength: 1
  10706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10707. type: string
  10708. type:
  10709. description: The type of provider to use such as "Secret", or "ConfigMap".
  10710. enum:
  10711. - Secret
  10712. - ConfigMap
  10713. type: string
  10714. required:
  10715. - name
  10716. - type
  10717. type: object
  10718. environment:
  10719. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10720. type: string
  10721. groupIDs:
  10722. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10723. items:
  10724. type: string
  10725. type: array
  10726. inheritFromGroups:
  10727. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10728. type: boolean
  10729. projectID:
  10730. description: ProjectID specifies a project where secrets are located.
  10731. type: string
  10732. url:
  10733. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10734. type: string
  10735. required:
  10736. - auth
  10737. type: object
  10738. ibm:
  10739. description: IBM configures this store to sync secrets using IBM Cloud provider
  10740. properties:
  10741. auth:
  10742. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10743. maxProperties: 1
  10744. minProperties: 1
  10745. properties:
  10746. containerAuth:
  10747. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10748. properties:
  10749. iamEndpoint:
  10750. type: string
  10751. profile:
  10752. description: the IBM Trusted Profile
  10753. type: string
  10754. tokenLocation:
  10755. description: Location the token is mounted on the pod
  10756. type: string
  10757. required:
  10758. - profile
  10759. type: object
  10760. secretRef:
  10761. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10762. properties:
  10763. secretApiKeySecretRef:
  10764. description: The SecretAccessKey is used for authentication
  10765. properties:
  10766. key:
  10767. description: |-
  10768. A key in the referenced Secret.
  10769. Some instances of this field may be defaulted, in others it may be required.
  10770. maxLength: 253
  10771. minLength: 1
  10772. pattern: ^[-._a-zA-Z0-9]+$
  10773. type: string
  10774. name:
  10775. description: The name of the Secret resource being referred to.
  10776. maxLength: 253
  10777. minLength: 1
  10778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10779. type: string
  10780. namespace:
  10781. description: |-
  10782. The namespace of the Secret resource being referred to.
  10783. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10784. maxLength: 63
  10785. minLength: 1
  10786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10787. type: string
  10788. type: object
  10789. type: object
  10790. type: object
  10791. serviceUrl:
  10792. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10793. type: string
  10794. required:
  10795. - auth
  10796. type: object
  10797. infisical:
  10798. description: Infisical configures this store to sync secrets using the Infisical provider
  10799. properties:
  10800. auth:
  10801. description: Auth configures how the Operator authenticates with the Infisical API
  10802. properties:
  10803. universalAuthCredentials:
  10804. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10805. properties:
  10806. clientId:
  10807. description: |-
  10808. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10809. In some instances, `key` is a required field.
  10810. properties:
  10811. key:
  10812. description: |-
  10813. A key in the referenced Secret.
  10814. Some instances of this field may be defaulted, in others it may be required.
  10815. maxLength: 253
  10816. minLength: 1
  10817. pattern: ^[-._a-zA-Z0-9]+$
  10818. type: string
  10819. name:
  10820. description: The name of the Secret resource being referred to.
  10821. maxLength: 253
  10822. minLength: 1
  10823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10824. type: string
  10825. namespace:
  10826. description: |-
  10827. The namespace of the Secret resource being referred to.
  10828. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10829. maxLength: 63
  10830. minLength: 1
  10831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10832. type: string
  10833. type: object
  10834. clientSecret:
  10835. description: |-
  10836. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10837. In some instances, `key` is a required field.
  10838. properties:
  10839. key:
  10840. description: |-
  10841. A key in the referenced Secret.
  10842. Some instances of this field may be defaulted, in others it may be required.
  10843. maxLength: 253
  10844. minLength: 1
  10845. pattern: ^[-._a-zA-Z0-9]+$
  10846. type: string
  10847. name:
  10848. description: The name of the Secret resource being referred to.
  10849. maxLength: 253
  10850. minLength: 1
  10851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10852. type: string
  10853. namespace:
  10854. description: |-
  10855. The namespace of the Secret resource being referred to.
  10856. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10857. maxLength: 63
  10858. minLength: 1
  10859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10860. type: string
  10861. type: object
  10862. required:
  10863. - clientId
  10864. - clientSecret
  10865. type: object
  10866. type: object
  10867. hostAPI:
  10868. default: https://app.infisical.com/api
  10869. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10870. type: string
  10871. secretsScope:
  10872. description: SecretsScope defines the scope of the secrets within the workspace
  10873. properties:
  10874. environmentSlug:
  10875. description: EnvironmentSlug is the required slug identifier for the environment.
  10876. type: string
  10877. expandSecretReferences:
  10878. default: true
  10879. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10880. type: boolean
  10881. projectSlug:
  10882. description: ProjectSlug is the required slug identifier for the project.
  10883. type: string
  10884. recursive:
  10885. default: false
  10886. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10887. type: boolean
  10888. secretsPath:
  10889. default: /
  10890. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10891. type: string
  10892. required:
  10893. - environmentSlug
  10894. - projectSlug
  10895. type: object
  10896. required:
  10897. - auth
  10898. - secretsScope
  10899. type: object
  10900. keepersecurity:
  10901. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10902. properties:
  10903. authRef:
  10904. description: |-
  10905. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10906. In some instances, `key` is a required field.
  10907. properties:
  10908. key:
  10909. description: |-
  10910. A key in the referenced Secret.
  10911. Some instances of this field may be defaulted, in others it may be required.
  10912. maxLength: 253
  10913. minLength: 1
  10914. pattern: ^[-._a-zA-Z0-9]+$
  10915. type: string
  10916. name:
  10917. description: The name of the Secret resource being referred to.
  10918. maxLength: 253
  10919. minLength: 1
  10920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10921. type: string
  10922. namespace:
  10923. description: |-
  10924. The namespace of the Secret resource being referred to.
  10925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10926. maxLength: 63
  10927. minLength: 1
  10928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10929. type: string
  10930. type: object
  10931. folderID:
  10932. type: string
  10933. required:
  10934. - authRef
  10935. - folderID
  10936. type: object
  10937. kubernetes:
  10938. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10939. properties:
  10940. auth:
  10941. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10942. maxProperties: 1
  10943. minProperties: 1
  10944. properties:
  10945. cert:
  10946. description: has both clientCert and clientKey as secretKeySelector
  10947. properties:
  10948. clientCert:
  10949. description: |-
  10950. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10951. In some instances, `key` is a required field.
  10952. properties:
  10953. key:
  10954. description: |-
  10955. A key in the referenced Secret.
  10956. Some instances of this field may be defaulted, in others it may be required.
  10957. maxLength: 253
  10958. minLength: 1
  10959. pattern: ^[-._a-zA-Z0-9]+$
  10960. type: string
  10961. name:
  10962. description: The name of the Secret resource being referred to.
  10963. maxLength: 253
  10964. minLength: 1
  10965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10966. type: string
  10967. namespace:
  10968. description: |-
  10969. The namespace of the Secret resource being referred to.
  10970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10971. maxLength: 63
  10972. minLength: 1
  10973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10974. type: string
  10975. type: object
  10976. clientKey:
  10977. description: |-
  10978. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10979. In some instances, `key` is a required field.
  10980. properties:
  10981. key:
  10982. description: |-
  10983. A key in the referenced Secret.
  10984. Some instances of this field may be defaulted, in others it may be required.
  10985. maxLength: 253
  10986. minLength: 1
  10987. pattern: ^[-._a-zA-Z0-9]+$
  10988. type: string
  10989. name:
  10990. description: The name of the Secret resource being referred to.
  10991. maxLength: 253
  10992. minLength: 1
  10993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10994. type: string
  10995. namespace:
  10996. description: |-
  10997. The namespace of the Secret resource being referred to.
  10998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10999. maxLength: 63
  11000. minLength: 1
  11001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11002. type: string
  11003. type: object
  11004. type: object
  11005. serviceAccount:
  11006. description: points to a service account that should be used for authentication
  11007. properties:
  11008. audiences:
  11009. description: |-
  11010. Audience specifies the `aud` claim for the service account token
  11011. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11012. then this audiences will be appended to the list
  11013. items:
  11014. type: string
  11015. type: array
  11016. name:
  11017. description: The name of the ServiceAccount resource being referred to.
  11018. maxLength: 253
  11019. minLength: 1
  11020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11021. type: string
  11022. namespace:
  11023. description: |-
  11024. Namespace of the resource being referred to.
  11025. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11026. maxLength: 63
  11027. minLength: 1
  11028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11029. type: string
  11030. required:
  11031. - name
  11032. type: object
  11033. token:
  11034. description: use static token to authenticate with
  11035. properties:
  11036. bearerToken:
  11037. description: |-
  11038. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11039. In some instances, `key` is a required field.
  11040. properties:
  11041. key:
  11042. description: |-
  11043. A key in the referenced Secret.
  11044. Some instances of this field may be defaulted, in others it may be required.
  11045. maxLength: 253
  11046. minLength: 1
  11047. pattern: ^[-._a-zA-Z0-9]+$
  11048. type: string
  11049. name:
  11050. description: The name of the Secret resource being referred to.
  11051. maxLength: 253
  11052. minLength: 1
  11053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11054. type: string
  11055. namespace:
  11056. description: |-
  11057. The namespace of the Secret resource being referred to.
  11058. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11059. maxLength: 63
  11060. minLength: 1
  11061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11062. type: string
  11063. type: object
  11064. type: object
  11065. type: object
  11066. authRef:
  11067. description: A reference to a secret that contains the auth information.
  11068. properties:
  11069. key:
  11070. description: |-
  11071. A key in the referenced Secret.
  11072. Some instances of this field may be defaulted, in others it may be required.
  11073. maxLength: 253
  11074. minLength: 1
  11075. pattern: ^[-._a-zA-Z0-9]+$
  11076. type: string
  11077. name:
  11078. description: The name of the Secret resource being referred to.
  11079. maxLength: 253
  11080. minLength: 1
  11081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11082. type: string
  11083. namespace:
  11084. description: |-
  11085. The namespace of the Secret resource being referred to.
  11086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11087. maxLength: 63
  11088. minLength: 1
  11089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11090. type: string
  11091. type: object
  11092. remoteNamespace:
  11093. default: default
  11094. description: Remote namespace to fetch the secrets from
  11095. maxLength: 63
  11096. minLength: 1
  11097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11098. type: string
  11099. server:
  11100. description: configures the Kubernetes server Address.
  11101. properties:
  11102. caBundle:
  11103. description: CABundle is a base64-encoded CA certificate
  11104. format: byte
  11105. type: string
  11106. caProvider:
  11107. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  11108. properties:
  11109. key:
  11110. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  11111. maxLength: 253
  11112. minLength: 1
  11113. pattern: ^[-._a-zA-Z0-9]+$
  11114. type: string
  11115. name:
  11116. description: The name of the object located at the provider type.
  11117. maxLength: 253
  11118. minLength: 1
  11119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11120. type: string
  11121. namespace:
  11122. description: |-
  11123. The namespace the Provider type is in.
  11124. Can only be defined when used in a ClusterSecretStore.
  11125. maxLength: 63
  11126. minLength: 1
  11127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11128. type: string
  11129. type:
  11130. description: The type of provider to use such as "Secret", or "ConfigMap".
  11131. enum:
  11132. - Secret
  11133. - ConfigMap
  11134. type: string
  11135. required:
  11136. - name
  11137. - type
  11138. type: object
  11139. url:
  11140. default: kubernetes.default
  11141. description: configures the Kubernetes server Address.
  11142. type: string
  11143. type: object
  11144. type: object
  11145. onboardbase:
  11146. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  11147. properties:
  11148. apiHost:
  11149. default: https://public.onboardbase.com/api/v1/
  11150. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  11151. type: string
  11152. auth:
  11153. description: Auth configures how the Operator authenticates with the Onboardbase API
  11154. properties:
  11155. apiKeyRef:
  11156. description: |-
  11157. OnboardbaseAPIKey is the APIKey generated by an admin account.
  11158. It is used to recognize and authorize access to a project and environment within onboardbase
  11159. properties:
  11160. key:
  11161. description: |-
  11162. A key in the referenced Secret.
  11163. Some instances of this field may be defaulted, in others it may be required.
  11164. maxLength: 253
  11165. minLength: 1
  11166. pattern: ^[-._a-zA-Z0-9]+$
  11167. type: string
  11168. name:
  11169. description: The name of the Secret resource being referred to.
  11170. maxLength: 253
  11171. minLength: 1
  11172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11173. type: string
  11174. namespace:
  11175. description: |-
  11176. The namespace of the Secret resource being referred to.
  11177. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11178. maxLength: 63
  11179. minLength: 1
  11180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11181. type: string
  11182. type: object
  11183. passcodeRef:
  11184. description: OnboardbasePasscode is the passcode attached to the API Key
  11185. properties:
  11186. key:
  11187. description: |-
  11188. A key in the referenced Secret.
  11189. Some instances of this field may be defaulted, in others it may be required.
  11190. maxLength: 253
  11191. minLength: 1
  11192. pattern: ^[-._a-zA-Z0-9]+$
  11193. type: string
  11194. name:
  11195. description: The name of the Secret resource being referred to.
  11196. maxLength: 253
  11197. minLength: 1
  11198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11199. type: string
  11200. namespace:
  11201. description: |-
  11202. The namespace of the Secret resource being referred to.
  11203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11204. maxLength: 63
  11205. minLength: 1
  11206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11207. type: string
  11208. type: object
  11209. required:
  11210. - apiKeyRef
  11211. - passcodeRef
  11212. type: object
  11213. environment:
  11214. default: development
  11215. description: Environment is the name of an environmnent within a project to pull the secrets from
  11216. type: string
  11217. project:
  11218. default: development
  11219. description: Project is an onboardbase project that the secrets should be pulled from
  11220. type: string
  11221. required:
  11222. - apiHost
  11223. - auth
  11224. - environment
  11225. - project
  11226. type: object
  11227. onepassword:
  11228. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  11229. properties:
  11230. auth:
  11231. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  11232. properties:
  11233. secretRef:
  11234. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  11235. properties:
  11236. connectTokenSecretRef:
  11237. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  11238. properties:
  11239. key:
  11240. description: |-
  11241. A key in the referenced Secret.
  11242. Some instances of this field may be defaulted, in others it may be required.
  11243. maxLength: 253
  11244. minLength: 1
  11245. pattern: ^[-._a-zA-Z0-9]+$
  11246. type: string
  11247. name:
  11248. description: The name of the Secret resource being referred to.
  11249. maxLength: 253
  11250. minLength: 1
  11251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11252. type: string
  11253. namespace:
  11254. description: |-
  11255. The namespace of the Secret resource being referred to.
  11256. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11257. maxLength: 63
  11258. minLength: 1
  11259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11260. type: string
  11261. type: object
  11262. required:
  11263. - connectTokenSecretRef
  11264. type: object
  11265. required:
  11266. - secretRef
  11267. type: object
  11268. connectHost:
  11269. description: ConnectHost defines the OnePassword Connect Server to connect to
  11270. type: string
  11271. vaults:
  11272. additionalProperties:
  11273. type: integer
  11274. description: Vaults defines which OnePassword vaults to search in which order
  11275. type: object
  11276. required:
  11277. - auth
  11278. - connectHost
  11279. - vaults
  11280. type: object
  11281. oracle:
  11282. description: Oracle configures this store to sync secrets using Oracle Vault provider
  11283. properties:
  11284. auth:
  11285. description: |-
  11286. Auth configures how secret-manager authenticates with the Oracle Vault.
  11287. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  11288. properties:
  11289. secretRef:
  11290. description: SecretRef to pass through sensitive information.
  11291. properties:
  11292. fingerprint:
  11293. description: Fingerprint is the fingerprint of the API private key.
  11294. properties:
  11295. key:
  11296. description: |-
  11297. A key in the referenced Secret.
  11298. Some instances of this field may be defaulted, in others it may be required.
  11299. maxLength: 253
  11300. minLength: 1
  11301. pattern: ^[-._a-zA-Z0-9]+$
  11302. type: string
  11303. name:
  11304. description: The name of the Secret resource being referred to.
  11305. maxLength: 253
  11306. minLength: 1
  11307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11308. type: string
  11309. namespace:
  11310. description: |-
  11311. The namespace of the Secret resource being referred to.
  11312. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11313. maxLength: 63
  11314. minLength: 1
  11315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11316. type: string
  11317. type: object
  11318. privatekey:
  11319. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  11320. properties:
  11321. key:
  11322. description: |-
  11323. A key in the referenced Secret.
  11324. Some instances of this field may be defaulted, in others it may be required.
  11325. maxLength: 253
  11326. minLength: 1
  11327. pattern: ^[-._a-zA-Z0-9]+$
  11328. type: string
  11329. name:
  11330. description: The name of the Secret resource being referred to.
  11331. maxLength: 253
  11332. minLength: 1
  11333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11334. type: string
  11335. namespace:
  11336. description: |-
  11337. The namespace of the Secret resource being referred to.
  11338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11339. maxLength: 63
  11340. minLength: 1
  11341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11342. type: string
  11343. type: object
  11344. required:
  11345. - fingerprint
  11346. - privatekey
  11347. type: object
  11348. tenancy:
  11349. description: Tenancy is the tenancy OCID where user is located.
  11350. type: string
  11351. user:
  11352. description: User is an access OCID specific to the account.
  11353. type: string
  11354. required:
  11355. - secretRef
  11356. - tenancy
  11357. - user
  11358. type: object
  11359. compartment:
  11360. description: |-
  11361. Compartment is the vault compartment OCID.
  11362. Required for PushSecret
  11363. type: string
  11364. encryptionKey:
  11365. description: |-
  11366. EncryptionKey is the OCID of the encryption key within the vault.
  11367. Required for PushSecret
  11368. type: string
  11369. principalType:
  11370. description: |-
  11371. The type of principal to use for authentication. If left blank, the Auth struct will
  11372. determine the principal type. This optional field must be specified if using
  11373. workload identity.
  11374. enum:
  11375. - ""
  11376. - UserPrincipal
  11377. - InstancePrincipal
  11378. - Workload
  11379. type: string
  11380. region:
  11381. description: Region is the region where vault is located.
  11382. type: string
  11383. serviceAccountRef:
  11384. description: |-
  11385. ServiceAccountRef specified the service account
  11386. that should be used when authenticating with WorkloadIdentity.
  11387. properties:
  11388. audiences:
  11389. description: |-
  11390. Audience specifies the `aud` claim for the service account token
  11391. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11392. then this audiences will be appended to the list
  11393. items:
  11394. type: string
  11395. type: array
  11396. name:
  11397. description: The name of the ServiceAccount resource being referred to.
  11398. maxLength: 253
  11399. minLength: 1
  11400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11401. type: string
  11402. namespace:
  11403. description: |-
  11404. Namespace of the resource being referred to.
  11405. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11406. maxLength: 63
  11407. minLength: 1
  11408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11409. type: string
  11410. required:
  11411. - name
  11412. type: object
  11413. vault:
  11414. description: Vault is the vault's OCID of the specific vault where secret is located.
  11415. type: string
  11416. required:
  11417. - region
  11418. - vault
  11419. type: object
  11420. passbolt:
  11421. description: PassboltProvider defines configuration for the Passbolt provider.
  11422. properties:
  11423. auth:
  11424. description: Auth defines the information necessary to authenticate against Passbolt Server
  11425. properties:
  11426. passwordSecretRef:
  11427. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11428. properties:
  11429. key:
  11430. description: |-
  11431. A key in the referenced Secret.
  11432. Some instances of this field may be defaulted, in others it may be required.
  11433. maxLength: 253
  11434. minLength: 1
  11435. pattern: ^[-._a-zA-Z0-9]+$
  11436. type: string
  11437. name:
  11438. description: The name of the Secret resource being referred to.
  11439. maxLength: 253
  11440. minLength: 1
  11441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11442. type: string
  11443. namespace:
  11444. description: |-
  11445. The namespace of the Secret resource being referred to.
  11446. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11447. maxLength: 63
  11448. minLength: 1
  11449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11450. type: string
  11451. type: object
  11452. privateKeySecretRef:
  11453. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11454. properties:
  11455. key:
  11456. description: |-
  11457. A key in the referenced Secret.
  11458. Some instances of this field may be defaulted, in others it may be required.
  11459. maxLength: 253
  11460. minLength: 1
  11461. pattern: ^[-._a-zA-Z0-9]+$
  11462. type: string
  11463. name:
  11464. description: The name of the Secret resource being referred to.
  11465. maxLength: 253
  11466. minLength: 1
  11467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11468. type: string
  11469. namespace:
  11470. description: |-
  11471. The namespace of the Secret resource being referred to.
  11472. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11473. maxLength: 63
  11474. minLength: 1
  11475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11476. type: string
  11477. type: object
  11478. required:
  11479. - passwordSecretRef
  11480. - privateKeySecretRef
  11481. type: object
  11482. host:
  11483. description: Host defines the Passbolt Server to connect to
  11484. type: string
  11485. required:
  11486. - auth
  11487. - host
  11488. type: object
  11489. passworddepot:
  11490. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11491. properties:
  11492. auth:
  11493. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11494. properties:
  11495. secretRef:
  11496. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11497. properties:
  11498. credentials:
  11499. description: Username / Password is used for authentication.
  11500. properties:
  11501. key:
  11502. description: |-
  11503. A key in the referenced Secret.
  11504. Some instances of this field may be defaulted, in others it may be required.
  11505. maxLength: 253
  11506. minLength: 1
  11507. pattern: ^[-._a-zA-Z0-9]+$
  11508. type: string
  11509. name:
  11510. description: The name of the Secret resource being referred to.
  11511. maxLength: 253
  11512. minLength: 1
  11513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11514. type: string
  11515. namespace:
  11516. description: |-
  11517. The namespace of the Secret resource being referred to.
  11518. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11519. maxLength: 63
  11520. minLength: 1
  11521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11522. type: string
  11523. type: object
  11524. type: object
  11525. required:
  11526. - secretRef
  11527. type: object
  11528. database:
  11529. description: Database to use as source
  11530. type: string
  11531. host:
  11532. description: URL configures the Password Depot instance URL.
  11533. type: string
  11534. required:
  11535. - auth
  11536. - database
  11537. - host
  11538. type: object
  11539. previder:
  11540. description: Previder configures this store to sync secrets using the Previder provider
  11541. properties:
  11542. auth:
  11543. description: PreviderAuth contains a secretRef for credentials.
  11544. properties:
  11545. secretRef:
  11546. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11547. properties:
  11548. accessToken:
  11549. description: The AccessToken is used for authentication
  11550. properties:
  11551. key:
  11552. description: |-
  11553. A key in the referenced Secret.
  11554. Some instances of this field may be defaulted, in others it may be required.
  11555. maxLength: 253
  11556. minLength: 1
  11557. pattern: ^[-._a-zA-Z0-9]+$
  11558. type: string
  11559. name:
  11560. description: The name of the Secret resource being referred to.
  11561. maxLength: 253
  11562. minLength: 1
  11563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11564. type: string
  11565. namespace:
  11566. description: |-
  11567. The namespace of the Secret resource being referred to.
  11568. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11569. maxLength: 63
  11570. minLength: 1
  11571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11572. type: string
  11573. type: object
  11574. required:
  11575. - accessToken
  11576. type: object
  11577. type: object
  11578. baseUri:
  11579. type: string
  11580. required:
  11581. - auth
  11582. type: object
  11583. pulumi:
  11584. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11585. properties:
  11586. accessToken:
  11587. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11588. properties:
  11589. secretRef:
  11590. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11591. properties:
  11592. key:
  11593. description: |-
  11594. A key in the referenced Secret.
  11595. Some instances of this field may be defaulted, in others it may be required.
  11596. maxLength: 253
  11597. minLength: 1
  11598. pattern: ^[-._a-zA-Z0-9]+$
  11599. type: string
  11600. name:
  11601. description: The name of the Secret resource being referred to.
  11602. maxLength: 253
  11603. minLength: 1
  11604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11605. type: string
  11606. namespace:
  11607. description: |-
  11608. The namespace of the Secret resource being referred to.
  11609. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11610. maxLength: 63
  11611. minLength: 1
  11612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11613. type: string
  11614. type: object
  11615. type: object
  11616. apiUrl:
  11617. default: https://api.pulumi.com/api/esc
  11618. description: APIURL is the URL of the Pulumi API.
  11619. type: string
  11620. environment:
  11621. description: |-
  11622. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11623. dynamically retrieved values from supported providers including all major clouds,
  11624. and other Pulumi ESC environments.
  11625. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11626. type: string
  11627. organization:
  11628. description: |-
  11629. Organization are a space to collaborate on shared projects and stacks.
  11630. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11631. type: string
  11632. project:
  11633. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11634. type: string
  11635. required:
  11636. - accessToken
  11637. - environment
  11638. - organization
  11639. - project
  11640. type: object
  11641. scaleway:
  11642. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11643. properties:
  11644. accessKey:
  11645. description: AccessKey is the non-secret part of the api key.
  11646. properties:
  11647. secretRef:
  11648. description: SecretRef references a key in a secret that will be used as value.
  11649. properties:
  11650. key:
  11651. description: |-
  11652. A key in the referenced Secret.
  11653. Some instances of this field may be defaulted, in others it may be required.
  11654. maxLength: 253
  11655. minLength: 1
  11656. pattern: ^[-._a-zA-Z0-9]+$
  11657. type: string
  11658. name:
  11659. description: The name of the Secret resource being referred to.
  11660. maxLength: 253
  11661. minLength: 1
  11662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11663. type: string
  11664. namespace:
  11665. description: |-
  11666. The namespace of the Secret resource being referred to.
  11667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11668. maxLength: 63
  11669. minLength: 1
  11670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11671. type: string
  11672. type: object
  11673. value:
  11674. description: Value can be specified directly to set a value without using a secret.
  11675. type: string
  11676. type: object
  11677. apiUrl:
  11678. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11679. type: string
  11680. projectId:
  11681. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11682. type: string
  11683. region:
  11684. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11685. type: string
  11686. secretKey:
  11687. description: SecretKey is the non-secret part of the api key.
  11688. properties:
  11689. secretRef:
  11690. description: SecretRef references a key in a secret that will be used as value.
  11691. properties:
  11692. key:
  11693. description: |-
  11694. A key in the referenced Secret.
  11695. Some instances of this field may be defaulted, in others it may be required.
  11696. maxLength: 253
  11697. minLength: 1
  11698. pattern: ^[-._a-zA-Z0-9]+$
  11699. type: string
  11700. name:
  11701. description: The name of the Secret resource being referred to.
  11702. maxLength: 253
  11703. minLength: 1
  11704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11705. type: string
  11706. namespace:
  11707. description: |-
  11708. The namespace of the Secret resource being referred to.
  11709. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11710. maxLength: 63
  11711. minLength: 1
  11712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11713. type: string
  11714. type: object
  11715. value:
  11716. description: Value can be specified directly to set a value without using a secret.
  11717. type: string
  11718. type: object
  11719. required:
  11720. - accessKey
  11721. - projectId
  11722. - region
  11723. - secretKey
  11724. type: object
  11725. secretserver:
  11726. description: |-
  11727. SecretServer configures this store to sync secrets using SecretServer provider
  11728. https://docs.delinea.com/online-help/secret-server/start.htm
  11729. properties:
  11730. password:
  11731. description: Password is the secret server account password.
  11732. properties:
  11733. secretRef:
  11734. description: SecretRef references a key in a secret that will be used as value.
  11735. properties:
  11736. key:
  11737. description: |-
  11738. A key in the referenced Secret.
  11739. Some instances of this field may be defaulted, in others it may be required.
  11740. maxLength: 253
  11741. minLength: 1
  11742. pattern: ^[-._a-zA-Z0-9]+$
  11743. type: string
  11744. name:
  11745. description: The name of the Secret resource being referred to.
  11746. maxLength: 253
  11747. minLength: 1
  11748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11749. type: string
  11750. namespace:
  11751. description: |-
  11752. The namespace of the Secret resource being referred to.
  11753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11754. maxLength: 63
  11755. minLength: 1
  11756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11757. type: string
  11758. type: object
  11759. value:
  11760. description: Value can be specified directly to set a value without using a secret.
  11761. type: string
  11762. type: object
  11763. serverURL:
  11764. description: |-
  11765. ServerURL
  11766. URL to your secret server installation
  11767. type: string
  11768. username:
  11769. description: Username is the secret server account username.
  11770. properties:
  11771. secretRef:
  11772. description: SecretRef references a key in a secret that will be used as value.
  11773. properties:
  11774. key:
  11775. description: |-
  11776. A key in the referenced Secret.
  11777. Some instances of this field may be defaulted, in others it may be required.
  11778. maxLength: 253
  11779. minLength: 1
  11780. pattern: ^[-._a-zA-Z0-9]+$
  11781. type: string
  11782. name:
  11783. description: The name of the Secret resource being referred to.
  11784. maxLength: 253
  11785. minLength: 1
  11786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11787. type: string
  11788. namespace:
  11789. description: |-
  11790. The namespace of the Secret resource being referred to.
  11791. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11792. maxLength: 63
  11793. minLength: 1
  11794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11795. type: string
  11796. type: object
  11797. value:
  11798. description: Value can be specified directly to set a value without using a secret.
  11799. type: string
  11800. type: object
  11801. required:
  11802. - password
  11803. - serverURL
  11804. - username
  11805. type: object
  11806. senhasegura:
  11807. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11808. properties:
  11809. auth:
  11810. description: Auth defines parameters to authenticate in senhasegura
  11811. properties:
  11812. clientId:
  11813. type: string
  11814. clientSecretSecretRef:
  11815. description: |-
  11816. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11817. In some instances, `key` is a required field.
  11818. properties:
  11819. key:
  11820. description: |-
  11821. A key in the referenced Secret.
  11822. Some instances of this field may be defaulted, in others it may be required.
  11823. maxLength: 253
  11824. minLength: 1
  11825. pattern: ^[-._a-zA-Z0-9]+$
  11826. type: string
  11827. name:
  11828. description: The name of the Secret resource being referred to.
  11829. maxLength: 253
  11830. minLength: 1
  11831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11832. type: string
  11833. namespace:
  11834. description: |-
  11835. The namespace of the Secret resource being referred to.
  11836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11837. maxLength: 63
  11838. minLength: 1
  11839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11840. type: string
  11841. type: object
  11842. required:
  11843. - clientId
  11844. - clientSecretSecretRef
  11845. type: object
  11846. ignoreSslCertificate:
  11847. default: false
  11848. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11849. type: boolean
  11850. module:
  11851. description: Module defines which senhasegura module should be used to get secrets
  11852. type: string
  11853. url:
  11854. description: URL of senhasegura
  11855. type: string
  11856. required:
  11857. - auth
  11858. - module
  11859. - url
  11860. type: object
  11861. vault:
  11862. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11863. properties:
  11864. auth:
  11865. description: Auth configures how secret-manager authenticates with the Vault server.
  11866. properties:
  11867. appRole:
  11868. description: |-
  11869. AppRole authenticates with Vault using the App Role auth mechanism,
  11870. with the role and secret stored in a Kubernetes Secret resource.
  11871. properties:
  11872. path:
  11873. default: approle
  11874. description: |-
  11875. Path where the App Role authentication backend is mounted
  11876. in Vault, e.g: "approle"
  11877. type: string
  11878. roleId:
  11879. description: |-
  11880. RoleID configured in the App Role authentication backend when setting
  11881. up the authentication backend in Vault.
  11882. type: string
  11883. roleRef:
  11884. description: |-
  11885. Reference to a key in a Secret that contains the App Role ID used
  11886. to authenticate with Vault.
  11887. The `key` field must be specified and denotes which entry within the Secret
  11888. resource is used as the app role id.
  11889. properties:
  11890. key:
  11891. description: |-
  11892. A key in the referenced Secret.
  11893. Some instances of this field may be defaulted, in others it may be required.
  11894. maxLength: 253
  11895. minLength: 1
  11896. pattern: ^[-._a-zA-Z0-9]+$
  11897. type: string
  11898. name:
  11899. description: The name of the Secret resource being referred to.
  11900. maxLength: 253
  11901. minLength: 1
  11902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11903. type: string
  11904. namespace:
  11905. description: |-
  11906. The namespace of the Secret resource being referred to.
  11907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11908. maxLength: 63
  11909. minLength: 1
  11910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11911. type: string
  11912. type: object
  11913. secretRef:
  11914. description: |-
  11915. Reference to a key in a Secret that contains the App Role secret used
  11916. to authenticate with Vault.
  11917. The `key` field must be specified and denotes which entry within the Secret
  11918. resource is used as the app role secret.
  11919. properties:
  11920. key:
  11921. description: |-
  11922. A key in the referenced Secret.
  11923. Some instances of this field may be defaulted, in others it may be required.
  11924. maxLength: 253
  11925. minLength: 1
  11926. pattern: ^[-._a-zA-Z0-9]+$
  11927. type: string
  11928. name:
  11929. description: The name of the Secret resource being referred to.
  11930. maxLength: 253
  11931. minLength: 1
  11932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11933. type: string
  11934. namespace:
  11935. description: |-
  11936. The namespace of the Secret resource being referred to.
  11937. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11938. maxLength: 63
  11939. minLength: 1
  11940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11941. type: string
  11942. type: object
  11943. required:
  11944. - path
  11945. - secretRef
  11946. type: object
  11947. cert:
  11948. description: |-
  11949. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11950. Cert authentication method
  11951. properties:
  11952. clientCert:
  11953. description: |-
  11954. ClientCert is a certificate to authenticate using the Cert Vault
  11955. authentication method
  11956. properties:
  11957. key:
  11958. description: |-
  11959. A key in the referenced Secret.
  11960. Some instances of this field may be defaulted, in others it may be required.
  11961. maxLength: 253
  11962. minLength: 1
  11963. pattern: ^[-._a-zA-Z0-9]+$
  11964. type: string
  11965. name:
  11966. description: The name of the Secret resource being referred to.
  11967. maxLength: 253
  11968. minLength: 1
  11969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11970. type: string
  11971. namespace:
  11972. description: |-
  11973. The namespace of the Secret resource being referred to.
  11974. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11975. maxLength: 63
  11976. minLength: 1
  11977. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11978. type: string
  11979. type: object
  11980. secretRef:
  11981. description: |-
  11982. SecretRef to a key in a Secret resource containing client private key to
  11983. authenticate with Vault using the Cert authentication method
  11984. properties:
  11985. key:
  11986. description: |-
  11987. A key in the referenced Secret.
  11988. Some instances of this field may be defaulted, in others it may be required.
  11989. maxLength: 253
  11990. minLength: 1
  11991. pattern: ^[-._a-zA-Z0-9]+$
  11992. type: string
  11993. name:
  11994. description: The name of the Secret resource being referred to.
  11995. maxLength: 253
  11996. minLength: 1
  11997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11998. type: string
  11999. namespace:
  12000. description: |-
  12001. The namespace of the Secret resource being referred to.
  12002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12003. maxLength: 63
  12004. minLength: 1
  12005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12006. type: string
  12007. type: object
  12008. type: object
  12009. iam:
  12010. description: |-
  12011. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  12012. AWS IAM authentication method
  12013. properties:
  12014. externalID:
  12015. description: AWS External ID set on assumed IAM roles
  12016. type: string
  12017. jwt:
  12018. description: Specify a service account with IRSA enabled
  12019. properties:
  12020. serviceAccountRef:
  12021. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  12022. properties:
  12023. audiences:
  12024. description: |-
  12025. Audience specifies the `aud` claim for the service account token
  12026. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12027. then this audiences will be appended to the list
  12028. items:
  12029. type: string
  12030. type: array
  12031. name:
  12032. description: The name of the ServiceAccount resource being referred to.
  12033. maxLength: 253
  12034. minLength: 1
  12035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12036. type: string
  12037. namespace:
  12038. description: |-
  12039. Namespace of the resource being referred to.
  12040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12041. maxLength: 63
  12042. minLength: 1
  12043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12044. type: string
  12045. required:
  12046. - name
  12047. type: object
  12048. type: object
  12049. path:
  12050. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  12051. type: string
  12052. region:
  12053. description: AWS region
  12054. type: string
  12055. role:
  12056. description: This is the AWS role to be assumed before talking to vault
  12057. type: string
  12058. secretRef:
  12059. description: Specify credentials in a Secret object
  12060. properties:
  12061. accessKeyIDSecretRef:
  12062. description: The AccessKeyID is used for authentication
  12063. properties:
  12064. key:
  12065. description: |-
  12066. A key in the referenced Secret.
  12067. Some instances of this field may be defaulted, in others it may be required.
  12068. maxLength: 253
  12069. minLength: 1
  12070. pattern: ^[-._a-zA-Z0-9]+$
  12071. type: string
  12072. name:
  12073. description: The name of the Secret resource being referred to.
  12074. maxLength: 253
  12075. minLength: 1
  12076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12077. type: string
  12078. namespace:
  12079. description: |-
  12080. The namespace of the Secret resource being referred to.
  12081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12082. maxLength: 63
  12083. minLength: 1
  12084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12085. type: string
  12086. type: object
  12087. secretAccessKeySecretRef:
  12088. description: The SecretAccessKey is used for authentication
  12089. properties:
  12090. key:
  12091. description: |-
  12092. A key in the referenced Secret.
  12093. Some instances of this field may be defaulted, in others it may be required.
  12094. maxLength: 253
  12095. minLength: 1
  12096. pattern: ^[-._a-zA-Z0-9]+$
  12097. type: string
  12098. name:
  12099. description: The name of the Secret resource being referred to.
  12100. maxLength: 253
  12101. minLength: 1
  12102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12103. type: string
  12104. namespace:
  12105. description: |-
  12106. The namespace of the Secret resource being referred to.
  12107. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12108. maxLength: 63
  12109. minLength: 1
  12110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12111. type: string
  12112. type: object
  12113. sessionTokenSecretRef:
  12114. description: |-
  12115. The SessionToken used for authentication
  12116. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  12117. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  12118. properties:
  12119. key:
  12120. description: |-
  12121. A key in the referenced Secret.
  12122. Some instances of this field may be defaulted, in others it may be required.
  12123. maxLength: 253
  12124. minLength: 1
  12125. pattern: ^[-._a-zA-Z0-9]+$
  12126. type: string
  12127. name:
  12128. description: The name of the Secret resource being referred to.
  12129. maxLength: 253
  12130. minLength: 1
  12131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12132. type: string
  12133. namespace:
  12134. description: |-
  12135. The namespace of the Secret resource being referred to.
  12136. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12137. maxLength: 63
  12138. minLength: 1
  12139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12140. type: string
  12141. type: object
  12142. type: object
  12143. vaultAwsIamServerID:
  12144. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  12145. type: string
  12146. vaultRole:
  12147. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  12148. type: string
  12149. required:
  12150. - vaultRole
  12151. type: object
  12152. jwt:
  12153. description: |-
  12154. Jwt authenticates with Vault by passing role and JWT token using the
  12155. JWT/OIDC authentication method
  12156. properties:
  12157. kubernetesServiceAccountToken:
  12158. description: |-
  12159. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  12160. a token for with the `TokenRequest` API.
  12161. properties:
  12162. audiences:
  12163. description: |-
  12164. Optional audiences field that will be used to request a temporary Kubernetes service
  12165. account token for the service account referenced by `serviceAccountRef`.
  12166. Defaults to a single audience `vault` it not specified.
  12167. Deprecated: use serviceAccountRef.Audiences instead
  12168. items:
  12169. type: string
  12170. type: array
  12171. expirationSeconds:
  12172. description: |-
  12173. Optional expiration time in seconds that will be used to request a temporary
  12174. Kubernetes service account token for the service account referenced by
  12175. `serviceAccountRef`.
  12176. Deprecated: this will be removed in the future.
  12177. Defaults to 10 minutes.
  12178. format: int64
  12179. type: integer
  12180. serviceAccountRef:
  12181. description: Service account field containing the name of a kubernetes ServiceAccount.
  12182. properties:
  12183. audiences:
  12184. description: |-
  12185. Audience specifies the `aud` claim for the service account token
  12186. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12187. then this audiences will be appended to the list
  12188. items:
  12189. type: string
  12190. type: array
  12191. name:
  12192. description: The name of the ServiceAccount resource being referred to.
  12193. maxLength: 253
  12194. minLength: 1
  12195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12196. type: string
  12197. namespace:
  12198. description: |-
  12199. Namespace of the resource being referred to.
  12200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12201. maxLength: 63
  12202. minLength: 1
  12203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12204. type: string
  12205. required:
  12206. - name
  12207. type: object
  12208. required:
  12209. - serviceAccountRef
  12210. type: object
  12211. path:
  12212. default: jwt
  12213. description: |-
  12214. Path where the JWT authentication backend is mounted
  12215. in Vault, e.g: "jwt"
  12216. type: string
  12217. role:
  12218. description: |-
  12219. Role is a JWT role to authenticate using the JWT/OIDC Vault
  12220. authentication method
  12221. type: string
  12222. secretRef:
  12223. description: |-
  12224. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  12225. authenticate with Vault using the JWT/OIDC authentication method.
  12226. properties:
  12227. key:
  12228. description: |-
  12229. A key in the referenced Secret.
  12230. Some instances of this field may be defaulted, in others it may be required.
  12231. maxLength: 253
  12232. minLength: 1
  12233. pattern: ^[-._a-zA-Z0-9]+$
  12234. type: string
  12235. name:
  12236. description: The name of the Secret resource being referred to.
  12237. maxLength: 253
  12238. minLength: 1
  12239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12240. type: string
  12241. namespace:
  12242. description: |-
  12243. The namespace of the Secret resource being referred to.
  12244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12245. maxLength: 63
  12246. minLength: 1
  12247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12248. type: string
  12249. type: object
  12250. required:
  12251. - path
  12252. type: object
  12253. kubernetes:
  12254. description: |-
  12255. Kubernetes authenticates with Vault by passing the ServiceAccount
  12256. token stored in the named Secret resource to the Vault server.
  12257. properties:
  12258. mountPath:
  12259. default: kubernetes
  12260. description: |-
  12261. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  12262. "kubernetes"
  12263. type: string
  12264. role:
  12265. description: |-
  12266. A required field containing the Vault Role to assume. A Role binds a
  12267. Kubernetes ServiceAccount with a set of Vault policies.
  12268. type: string
  12269. secretRef:
  12270. description: |-
  12271. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12272. for authenticating with Vault. If a name is specified without a key,
  12273. `token` is the default. If one is not specified, the one bound to
  12274. the controller will be used.
  12275. properties:
  12276. key:
  12277. description: |-
  12278. A key in the referenced Secret.
  12279. Some instances of this field may be defaulted, in others it may be required.
  12280. maxLength: 253
  12281. minLength: 1
  12282. pattern: ^[-._a-zA-Z0-9]+$
  12283. type: string
  12284. name:
  12285. description: The name of the Secret resource being referred to.
  12286. maxLength: 253
  12287. minLength: 1
  12288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12289. type: string
  12290. namespace:
  12291. description: |-
  12292. The namespace of the Secret resource being referred to.
  12293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12294. maxLength: 63
  12295. minLength: 1
  12296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12297. type: string
  12298. type: object
  12299. serviceAccountRef:
  12300. description: |-
  12301. Optional service account field containing the name of a kubernetes ServiceAccount.
  12302. If the service account is specified, the service account secret token JWT will be used
  12303. for authenticating with Vault. If the service account selector is not supplied,
  12304. the secretRef will be used instead.
  12305. properties:
  12306. audiences:
  12307. description: |-
  12308. Audience specifies the `aud` claim for the service account token
  12309. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12310. then this audiences will be appended to the list
  12311. items:
  12312. type: string
  12313. type: array
  12314. name:
  12315. description: The name of the ServiceAccount resource being referred to.
  12316. maxLength: 253
  12317. minLength: 1
  12318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12319. type: string
  12320. namespace:
  12321. description: |-
  12322. Namespace of the resource being referred to.
  12323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12324. maxLength: 63
  12325. minLength: 1
  12326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12327. type: string
  12328. required:
  12329. - name
  12330. type: object
  12331. required:
  12332. - mountPath
  12333. - role
  12334. type: object
  12335. ldap:
  12336. description: |-
  12337. Ldap authenticates with Vault by passing username/password pair using
  12338. the LDAP authentication method
  12339. properties:
  12340. path:
  12341. default: ldap
  12342. description: |-
  12343. Path where the LDAP authentication backend is mounted
  12344. in Vault, e.g: "ldap"
  12345. type: string
  12346. secretRef:
  12347. description: |-
  12348. SecretRef to a key in a Secret resource containing password for the LDAP
  12349. user used to authenticate with Vault using the LDAP authentication
  12350. method
  12351. properties:
  12352. key:
  12353. description: |-
  12354. A key in the referenced Secret.
  12355. Some instances of this field may be defaulted, in others it may be required.
  12356. maxLength: 253
  12357. minLength: 1
  12358. pattern: ^[-._a-zA-Z0-9]+$
  12359. type: string
  12360. name:
  12361. description: The name of the Secret resource being referred to.
  12362. maxLength: 253
  12363. minLength: 1
  12364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12365. type: string
  12366. namespace:
  12367. description: |-
  12368. The namespace of the Secret resource being referred to.
  12369. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12370. maxLength: 63
  12371. minLength: 1
  12372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12373. type: string
  12374. type: object
  12375. username:
  12376. description: |-
  12377. Username is an LDAP username used to authenticate using the LDAP Vault
  12378. authentication method
  12379. type: string
  12380. required:
  12381. - path
  12382. - username
  12383. type: object
  12384. namespace:
  12385. description: |-
  12386. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  12387. Namespaces is a set of features within Vault Enterprise that allows
  12388. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12389. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12390. This will default to Vault.Namespace field if set, or empty otherwise
  12391. type: string
  12392. tokenSecretRef:
  12393. description: TokenSecretRef authenticates with Vault by presenting a token.
  12394. properties:
  12395. key:
  12396. description: |-
  12397. A key in the referenced Secret.
  12398. Some instances of this field may be defaulted, in others it may be required.
  12399. maxLength: 253
  12400. minLength: 1
  12401. pattern: ^[-._a-zA-Z0-9]+$
  12402. type: string
  12403. name:
  12404. description: The name of the Secret resource being referred to.
  12405. maxLength: 253
  12406. minLength: 1
  12407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12408. type: string
  12409. namespace:
  12410. description: |-
  12411. The namespace of the Secret resource being referred to.
  12412. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12413. maxLength: 63
  12414. minLength: 1
  12415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12416. type: string
  12417. type: object
  12418. userPass:
  12419. description: UserPass authenticates with Vault by passing username/password pair
  12420. properties:
  12421. path:
  12422. default: userpass
  12423. description: |-
  12424. Path where the UserPassword authentication backend is mounted
  12425. in Vault, e.g: "userpass"
  12426. type: string
  12427. secretRef:
  12428. description: |-
  12429. SecretRef to a key in a Secret resource containing password for the
  12430. user used to authenticate with Vault using the UserPass authentication
  12431. method
  12432. properties:
  12433. key:
  12434. description: |-
  12435. A key in the referenced Secret.
  12436. Some instances of this field may be defaulted, in others it may be required.
  12437. maxLength: 253
  12438. minLength: 1
  12439. pattern: ^[-._a-zA-Z0-9]+$
  12440. type: string
  12441. name:
  12442. description: The name of the Secret resource being referred to.
  12443. maxLength: 253
  12444. minLength: 1
  12445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12446. type: string
  12447. namespace:
  12448. description: |-
  12449. The namespace of the Secret resource being referred to.
  12450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12451. maxLength: 63
  12452. minLength: 1
  12453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12454. type: string
  12455. type: object
  12456. username:
  12457. description: |-
  12458. Username is a username used to authenticate using the UserPass Vault
  12459. authentication method
  12460. type: string
  12461. required:
  12462. - path
  12463. - username
  12464. type: object
  12465. type: object
  12466. caBundle:
  12467. description: |-
  12468. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12469. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12470. plain HTTP protocol connection. If not set the system root certificates
  12471. are used to validate the TLS connection.
  12472. format: byte
  12473. type: string
  12474. caProvider:
  12475. description: The provider for the CA bundle to use to validate Vault server certificate.
  12476. properties:
  12477. key:
  12478. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12479. maxLength: 253
  12480. minLength: 1
  12481. pattern: ^[-._a-zA-Z0-9]+$
  12482. type: string
  12483. name:
  12484. description: The name of the object located at the provider type.
  12485. maxLength: 253
  12486. minLength: 1
  12487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12488. type: string
  12489. namespace:
  12490. description: |-
  12491. The namespace the Provider type is in.
  12492. Can only be defined when used in a ClusterSecretStore.
  12493. maxLength: 63
  12494. minLength: 1
  12495. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12496. type: string
  12497. type:
  12498. description: The type of provider to use such as "Secret", or "ConfigMap".
  12499. enum:
  12500. - Secret
  12501. - ConfigMap
  12502. type: string
  12503. required:
  12504. - name
  12505. - type
  12506. type: object
  12507. forwardInconsistent:
  12508. description: |-
  12509. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12510. leader instead of simply retrying within a loop. This can increase performance if
  12511. the option is enabled serverside.
  12512. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12513. type: boolean
  12514. headers:
  12515. additionalProperties:
  12516. type: string
  12517. description: Headers to be added in Vault request
  12518. type: object
  12519. namespace:
  12520. description: |-
  12521. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12522. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12523. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12524. type: string
  12525. path:
  12526. description: |-
  12527. Path is the mount path of the Vault KV backend endpoint, e.g:
  12528. "secret". The v2 KV secret engine version specific "/data" path suffix
  12529. for fetching secrets from Vault is optional and will be appended
  12530. if not present in specified path.
  12531. type: string
  12532. readYourWrites:
  12533. description: |-
  12534. ReadYourWrites ensures isolated read-after-write semantics by
  12535. providing discovered cluster replication states in each request.
  12536. More information about eventual consistency in Vault can be found here
  12537. https://www.vaultproject.io/docs/enterprise/consistency
  12538. type: boolean
  12539. server:
  12540. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12541. type: string
  12542. tls:
  12543. description: |-
  12544. The configuration used for client side related TLS communication, when the Vault server
  12545. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12546. This parameter is ignored for plain HTTP protocol connection.
  12547. It's worth noting this configuration is different from the "TLS certificates auth method",
  12548. which is available under the `auth.cert` section.
  12549. properties:
  12550. certSecretRef:
  12551. description: |-
  12552. CertSecretRef is a certificate added to the transport layer
  12553. when communicating with the Vault server.
  12554. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12555. properties:
  12556. key:
  12557. description: |-
  12558. A key in the referenced Secret.
  12559. Some instances of this field may be defaulted, in others it may be required.
  12560. maxLength: 253
  12561. minLength: 1
  12562. pattern: ^[-._a-zA-Z0-9]+$
  12563. type: string
  12564. name:
  12565. description: The name of the Secret resource being referred to.
  12566. maxLength: 253
  12567. minLength: 1
  12568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12569. type: string
  12570. namespace:
  12571. description: |-
  12572. The namespace of the Secret resource being referred to.
  12573. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12574. maxLength: 63
  12575. minLength: 1
  12576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12577. type: string
  12578. type: object
  12579. keySecretRef:
  12580. description: |-
  12581. KeySecretRef to a key in a Secret resource containing client private key
  12582. added to the transport layer when communicating with the Vault server.
  12583. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12584. properties:
  12585. key:
  12586. description: |-
  12587. A key in the referenced Secret.
  12588. Some instances of this field may be defaulted, in others it may be required.
  12589. maxLength: 253
  12590. minLength: 1
  12591. pattern: ^[-._a-zA-Z0-9]+$
  12592. type: string
  12593. name:
  12594. description: The name of the Secret resource being referred to.
  12595. maxLength: 253
  12596. minLength: 1
  12597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12598. type: string
  12599. namespace:
  12600. description: |-
  12601. The namespace of the Secret resource being referred to.
  12602. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12603. maxLength: 63
  12604. minLength: 1
  12605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12606. type: string
  12607. type: object
  12608. type: object
  12609. version:
  12610. default: v2
  12611. description: |-
  12612. Version is the Vault KV secret engine version. This can be either "v1" or
  12613. "v2". Version defaults to "v2".
  12614. enum:
  12615. - v1
  12616. - v2
  12617. type: string
  12618. required:
  12619. - server
  12620. type: object
  12621. webhook:
  12622. description: Webhook configures this store to sync secrets using a generic templated webhook
  12623. properties:
  12624. auth:
  12625. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12626. maxProperties: 1
  12627. minProperties: 1
  12628. properties:
  12629. ntlm:
  12630. description: NTLMProtocol configures the store to use NTLM for auth
  12631. properties:
  12632. passwordSecret:
  12633. description: |-
  12634. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12635. In some instances, `key` is a required field.
  12636. properties:
  12637. key:
  12638. description: |-
  12639. A key in the referenced Secret.
  12640. Some instances of this field may be defaulted, in others it may be required.
  12641. maxLength: 253
  12642. minLength: 1
  12643. pattern: ^[-._a-zA-Z0-9]+$
  12644. type: string
  12645. name:
  12646. description: The name of the Secret resource being referred to.
  12647. maxLength: 253
  12648. minLength: 1
  12649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12650. type: string
  12651. namespace:
  12652. description: |-
  12653. The namespace of the Secret resource being referred to.
  12654. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12655. maxLength: 63
  12656. minLength: 1
  12657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12658. type: string
  12659. type: object
  12660. usernameSecret:
  12661. description: |-
  12662. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12663. In some instances, `key` is a required field.
  12664. properties:
  12665. key:
  12666. description: |-
  12667. A key in the referenced Secret.
  12668. Some instances of this field may be defaulted, in others it may be required.
  12669. maxLength: 253
  12670. minLength: 1
  12671. pattern: ^[-._a-zA-Z0-9]+$
  12672. type: string
  12673. name:
  12674. description: The name of the Secret resource being referred to.
  12675. maxLength: 253
  12676. minLength: 1
  12677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12678. type: string
  12679. namespace:
  12680. description: |-
  12681. The namespace of the Secret resource being referred to.
  12682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12683. maxLength: 63
  12684. minLength: 1
  12685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12686. type: string
  12687. type: object
  12688. required:
  12689. - passwordSecret
  12690. - usernameSecret
  12691. type: object
  12692. type: object
  12693. body:
  12694. description: Body
  12695. type: string
  12696. caBundle:
  12697. description: |-
  12698. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12699. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12700. plain HTTP protocol connection. If not set the system root certificates
  12701. are used to validate the TLS connection.
  12702. format: byte
  12703. type: string
  12704. caProvider:
  12705. description: The provider for the CA bundle to use to validate webhook server certificate.
  12706. properties:
  12707. key:
  12708. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12709. maxLength: 253
  12710. minLength: 1
  12711. pattern: ^[-._a-zA-Z0-9]+$
  12712. type: string
  12713. name:
  12714. description: The name of the object located at the provider type.
  12715. maxLength: 253
  12716. minLength: 1
  12717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12718. type: string
  12719. namespace:
  12720. description: The namespace the Provider type is in.
  12721. maxLength: 63
  12722. minLength: 1
  12723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12724. type: string
  12725. type:
  12726. description: The type of provider to use such as "Secret", or "ConfigMap".
  12727. enum:
  12728. - Secret
  12729. - ConfigMap
  12730. type: string
  12731. required:
  12732. - name
  12733. - type
  12734. type: object
  12735. headers:
  12736. additionalProperties:
  12737. type: string
  12738. description: Headers
  12739. type: object
  12740. method:
  12741. description: Webhook Method
  12742. type: string
  12743. result:
  12744. description: Result formatting
  12745. properties:
  12746. jsonPath:
  12747. description: Json path of return value
  12748. type: string
  12749. type: object
  12750. secrets:
  12751. description: |-
  12752. Secrets to fill in templates
  12753. These secrets will be passed to the templating function as key value pairs under the given name
  12754. items:
  12755. description: WebhookSecret defines a secret to be used in webhook templates.
  12756. properties:
  12757. name:
  12758. description: Name of this secret in templates
  12759. type: string
  12760. secretRef:
  12761. description: Secret ref to fill in credentials
  12762. properties:
  12763. key:
  12764. description: |-
  12765. A key in the referenced Secret.
  12766. Some instances of this field may be defaulted, in others it may be required.
  12767. maxLength: 253
  12768. minLength: 1
  12769. pattern: ^[-._a-zA-Z0-9]+$
  12770. type: string
  12771. name:
  12772. description: The name of the Secret resource being referred to.
  12773. maxLength: 253
  12774. minLength: 1
  12775. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12776. type: string
  12777. namespace:
  12778. description: |-
  12779. The namespace of the Secret resource being referred to.
  12780. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12781. maxLength: 63
  12782. minLength: 1
  12783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12784. type: string
  12785. type: object
  12786. required:
  12787. - name
  12788. - secretRef
  12789. type: object
  12790. type: array
  12791. timeout:
  12792. description: Timeout
  12793. type: string
  12794. url:
  12795. description: Webhook url to call
  12796. type: string
  12797. required:
  12798. - result
  12799. - url
  12800. type: object
  12801. yandexcertificatemanager:
  12802. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12803. properties:
  12804. apiEndpoint:
  12805. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12806. type: string
  12807. auth:
  12808. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12809. properties:
  12810. authorizedKeySecretRef:
  12811. description: The authorized key used for authentication
  12812. properties:
  12813. key:
  12814. description: |-
  12815. A key in the referenced Secret.
  12816. Some instances of this field may be defaulted, in others it may be required.
  12817. maxLength: 253
  12818. minLength: 1
  12819. pattern: ^[-._a-zA-Z0-9]+$
  12820. type: string
  12821. name:
  12822. description: The name of the Secret resource being referred to.
  12823. maxLength: 253
  12824. minLength: 1
  12825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12826. type: string
  12827. namespace:
  12828. description: |-
  12829. The namespace of the Secret resource being referred to.
  12830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12831. maxLength: 63
  12832. minLength: 1
  12833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12834. type: string
  12835. type: object
  12836. type: object
  12837. caProvider:
  12838. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12839. properties:
  12840. certSecretRef:
  12841. description: |-
  12842. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12843. In some instances, `key` is a required field.
  12844. properties:
  12845. key:
  12846. description: |-
  12847. A key in the referenced Secret.
  12848. Some instances of this field may be defaulted, in others it may be required.
  12849. maxLength: 253
  12850. minLength: 1
  12851. pattern: ^[-._a-zA-Z0-9]+$
  12852. type: string
  12853. name:
  12854. description: The name of the Secret resource being referred to.
  12855. maxLength: 253
  12856. minLength: 1
  12857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12858. type: string
  12859. namespace:
  12860. description: |-
  12861. The namespace of the Secret resource being referred to.
  12862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12863. maxLength: 63
  12864. minLength: 1
  12865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12866. type: string
  12867. type: object
  12868. type: object
  12869. required:
  12870. - auth
  12871. type: object
  12872. yandexlockbox:
  12873. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12874. properties:
  12875. apiEndpoint:
  12876. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12877. type: string
  12878. auth:
  12879. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12880. properties:
  12881. authorizedKeySecretRef:
  12882. description: The authorized key used for authentication
  12883. properties:
  12884. key:
  12885. description: |-
  12886. A key in the referenced Secret.
  12887. Some instances of this field may be defaulted, in others it may be required.
  12888. maxLength: 253
  12889. minLength: 1
  12890. pattern: ^[-._a-zA-Z0-9]+$
  12891. type: string
  12892. name:
  12893. description: The name of the Secret resource being referred to.
  12894. maxLength: 253
  12895. minLength: 1
  12896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12897. type: string
  12898. namespace:
  12899. description: |-
  12900. The namespace of the Secret resource being referred to.
  12901. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12902. maxLength: 63
  12903. minLength: 1
  12904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12905. type: string
  12906. type: object
  12907. type: object
  12908. caProvider:
  12909. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12910. properties:
  12911. certSecretRef:
  12912. description: |-
  12913. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12914. In some instances, `key` is a required field.
  12915. properties:
  12916. key:
  12917. description: |-
  12918. A key in the referenced Secret.
  12919. Some instances of this field may be defaulted, in others it may be required.
  12920. maxLength: 253
  12921. minLength: 1
  12922. pattern: ^[-._a-zA-Z0-9]+$
  12923. type: string
  12924. name:
  12925. description: The name of the Secret resource being referred to.
  12926. maxLength: 253
  12927. minLength: 1
  12928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12929. type: string
  12930. namespace:
  12931. description: |-
  12932. The namespace of the Secret resource being referred to.
  12933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12934. maxLength: 63
  12935. minLength: 1
  12936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12937. type: string
  12938. type: object
  12939. type: object
  12940. required:
  12941. - auth
  12942. type: object
  12943. type: object
  12944. refreshInterval:
  12945. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12946. type: integer
  12947. retrySettings:
  12948. description: Used to configure HTTP retries on failures.
  12949. properties:
  12950. maxRetries:
  12951. description: MaxRetries is the maximum number of retry attempts.
  12952. format: int32
  12953. type: integer
  12954. retryInterval:
  12955. description: RetryInterval is the interval between retry attempts.
  12956. type: string
  12957. type: object
  12958. required:
  12959. - provider
  12960. type: object
  12961. status:
  12962. description: SecretStoreStatus defines the observed state of the SecretStore.
  12963. properties:
  12964. capabilities:
  12965. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12966. type: string
  12967. conditions:
  12968. items:
  12969. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  12970. properties:
  12971. lastTransitionTime:
  12972. format: date-time
  12973. type: string
  12974. message:
  12975. type: string
  12976. reason:
  12977. type: string
  12978. status:
  12979. type: string
  12980. type:
  12981. description: SecretStoreConditionType represents the condition type of the SecretStore.
  12982. type: string
  12983. required:
  12984. - status
  12985. - type
  12986. type: object
  12987. type: array
  12988. type: object
  12989. type: object
  12990. served: false
  12991. storage: false
  12992. subresources:
  12993. status: {}
  12994. ---
  12995. apiVersion: apiextensions.k8s.io/v1
  12996. kind: CustomResourceDefinition
  12997. metadata:
  12998. annotations:
  12999. controller-gen.kubebuilder.io/version: v0.19.0
  13000. labels:
  13001. external-secrets.io/component: controller
  13002. name: externalsecrets.external-secrets.io
  13003. spec:
  13004. group: external-secrets.io
  13005. names:
  13006. categories:
  13007. - external-secrets
  13008. kind: ExternalSecret
  13009. listKind: ExternalSecretList
  13010. plural: externalsecrets
  13011. shortNames:
  13012. - es
  13013. singular: externalsecret
  13014. scope: Namespaced
  13015. versions:
  13016. - additionalPrinterColumns:
  13017. - jsonPath: .spec.secretStoreRef.kind
  13018. name: StoreType
  13019. type: string
  13020. - jsonPath: .spec.secretStoreRef.name
  13021. name: Store
  13022. type: string
  13023. - jsonPath: .spec.refreshInterval
  13024. name: Refresh Interval
  13025. type: string
  13026. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13027. name: Status
  13028. type: string
  13029. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13030. name: Ready
  13031. type: string
  13032. - jsonPath: .status.refreshTime
  13033. name: Last Sync
  13034. type: date
  13035. name: v1
  13036. schema:
  13037. openAPIV3Schema:
  13038. description: |-
  13039. ExternalSecret is the Schema for the external-secrets API.
  13040. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  13041. properties:
  13042. apiVersion:
  13043. description: |-
  13044. APIVersion defines the versioned schema of this representation of an object.
  13045. Servers should convert recognized schemas to the latest internal value, and
  13046. may reject unrecognized values.
  13047. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13048. type: string
  13049. kind:
  13050. description: |-
  13051. Kind is a string value representing the REST resource this object represents.
  13052. Servers may infer this from the endpoint the client submits requests to.
  13053. Cannot be updated.
  13054. In CamelCase.
  13055. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13056. type: string
  13057. metadata:
  13058. type: object
  13059. spec:
  13060. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13061. properties:
  13062. data:
  13063. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13064. items:
  13065. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13066. properties:
  13067. remoteRef:
  13068. description: |-
  13069. RemoteRef points to the remote secret and defines
  13070. which secret (version/property/..) to fetch.
  13071. properties:
  13072. conversionStrategy:
  13073. default: Default
  13074. description: Used to define a conversion Strategy
  13075. enum:
  13076. - Default
  13077. - Unicode
  13078. type: string
  13079. decodingStrategy:
  13080. default: None
  13081. description: Used to define a decoding Strategy
  13082. enum:
  13083. - Auto
  13084. - Base64
  13085. - Base64URL
  13086. - None
  13087. type: string
  13088. key:
  13089. description: Key is the key used in the Provider, mandatory
  13090. type: string
  13091. metadataPolicy:
  13092. default: None
  13093. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13094. enum:
  13095. - None
  13096. - Fetch
  13097. type: string
  13098. nullBytePolicy:
  13099. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13100. enum:
  13101. - Ignore
  13102. - Fail
  13103. type: string
  13104. property:
  13105. description: Used to select a specific property of the Provider value (if a map), if supported
  13106. type: string
  13107. version:
  13108. description: Used to select a specific version of the Provider value, if supported
  13109. type: string
  13110. required:
  13111. - key
  13112. type: object
  13113. secretKey:
  13114. description: The key in the Kubernetes Secret to store the value.
  13115. maxLength: 253
  13116. minLength: 1
  13117. pattern: ^[-._a-zA-Z0-9]+$
  13118. type: string
  13119. sourceRef:
  13120. description: |-
  13121. SourceRef allows you to override the source
  13122. from which the value will be pulled.
  13123. maxProperties: 1
  13124. minProperties: 1
  13125. properties:
  13126. generatorRef:
  13127. description: |-
  13128. GeneratorRef points to a generator custom resource.
  13129. Deprecated: The generatorRef is not implemented in .data[].
  13130. this will be removed with v1.
  13131. properties:
  13132. apiVersion:
  13133. default: generators.external-secrets.io/v1alpha1
  13134. description: Specify the apiVersion of the generator resource
  13135. type: string
  13136. kind:
  13137. description: Specify the Kind of the generator resource
  13138. enum:
  13139. - ACRAccessToken
  13140. - BeyondtrustWorkloadCredentialsDynamicSecret
  13141. - ClusterGenerator
  13142. - CloudsmithAccessToken
  13143. - ECRAuthorizationToken
  13144. - Fake
  13145. - GCRAccessToken
  13146. - GithubAccessToken
  13147. - GitlabDeployToken
  13148. - QuayAccessToken
  13149. - Password
  13150. - SSHKey
  13151. - STSSessionToken
  13152. - UUID
  13153. - VaultDynamicSecret
  13154. - Webhook
  13155. - Grafana
  13156. - MFA
  13157. type: string
  13158. name:
  13159. description: Specify the name of the generator resource
  13160. maxLength: 253
  13161. minLength: 1
  13162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13163. type: string
  13164. required:
  13165. - kind
  13166. - name
  13167. type: object
  13168. storeRef:
  13169. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13170. properties:
  13171. kind:
  13172. description: |-
  13173. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13174. Defaults to `SecretStore`
  13175. enum:
  13176. - SecretStore
  13177. - ClusterSecretStore
  13178. type: string
  13179. name:
  13180. description: Name of the SecretStore resource
  13181. maxLength: 253
  13182. minLength: 1
  13183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13184. type: string
  13185. type: object
  13186. type: object
  13187. required:
  13188. - remoteRef
  13189. - secretKey
  13190. type: object
  13191. type: array
  13192. dataFrom:
  13193. description: |-
  13194. DataFrom is used to fetch all properties from a specific Provider data
  13195. If multiple entries are specified, the Secret keys are merged in the specified order
  13196. items:
  13197. description: |-
  13198. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  13199. when using DataFrom to fetch multiple values from a Provider.
  13200. properties:
  13201. extract:
  13202. description: |-
  13203. Used to extract multiple key/value pairs from one secret
  13204. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13205. properties:
  13206. conversionStrategy:
  13207. default: Default
  13208. description: Used to define a conversion Strategy
  13209. enum:
  13210. - Default
  13211. - Unicode
  13212. type: string
  13213. decodingStrategy:
  13214. default: None
  13215. description: Used to define a decoding Strategy
  13216. enum:
  13217. - Auto
  13218. - Base64
  13219. - Base64URL
  13220. - None
  13221. type: string
  13222. key:
  13223. description: Key is the key used in the Provider, mandatory
  13224. type: string
  13225. metadataPolicy:
  13226. default: None
  13227. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13228. enum:
  13229. - None
  13230. - Fetch
  13231. type: string
  13232. nullBytePolicy:
  13233. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13234. enum:
  13235. - Ignore
  13236. - Fail
  13237. type: string
  13238. property:
  13239. description: Used to select a specific property of the Provider value (if a map), if supported
  13240. type: string
  13241. version:
  13242. description: Used to select a specific version of the Provider value, if supported
  13243. type: string
  13244. required:
  13245. - key
  13246. type: object
  13247. find:
  13248. description: |-
  13249. Used to find secrets based on tags or regular expressions
  13250. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13251. properties:
  13252. conversionStrategy:
  13253. default: Default
  13254. description: Used to define a conversion Strategy
  13255. enum:
  13256. - Default
  13257. - Unicode
  13258. type: string
  13259. decodingStrategy:
  13260. default: None
  13261. description: Used to define a decoding Strategy
  13262. enum:
  13263. - Auto
  13264. - Base64
  13265. - Base64URL
  13266. - None
  13267. type: string
  13268. name:
  13269. description: Finds secrets based on the name.
  13270. properties:
  13271. regexp:
  13272. description: Finds secrets base
  13273. type: string
  13274. type: object
  13275. nullBytePolicy:
  13276. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  13277. enum:
  13278. - Ignore
  13279. - Fail
  13280. type: string
  13281. path:
  13282. description: A root path to start the find operations.
  13283. type: string
  13284. tags:
  13285. additionalProperties:
  13286. type: string
  13287. description: Find secrets based on tags.
  13288. type: object
  13289. type: object
  13290. rewrite:
  13291. description: |-
  13292. Used to rewrite secret Keys after getting them from the secret Provider
  13293. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13294. items:
  13295. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  13296. maxProperties: 1
  13297. minProperties: 1
  13298. properties:
  13299. merge:
  13300. description: |-
  13301. Used to merge key/values in one single Secret
  13302. The resulting key will contain all values from the specified secrets
  13303. properties:
  13304. conflictPolicy:
  13305. default: Error
  13306. description: Used to define the policy to use in conflict resolution.
  13307. enum:
  13308. - Ignore
  13309. - Error
  13310. type: string
  13311. into:
  13312. default: ""
  13313. description: |-
  13314. Used to define the target key of the merge operation.
  13315. Required if strategy is JSON. Ignored otherwise.
  13316. type: string
  13317. priority:
  13318. description: Used to define key priority in conflict resolution.
  13319. items:
  13320. type: string
  13321. type: array
  13322. priorityPolicy:
  13323. default: Strict
  13324. description: Used to define the policy when a key in the priority list does not exist in the input.
  13325. enum:
  13326. - IgnoreNotFound
  13327. - Strict
  13328. type: string
  13329. strategy:
  13330. default: Extract
  13331. description: Used to define the strategy to use in the merge operation.
  13332. enum:
  13333. - Extract
  13334. - JSON
  13335. type: string
  13336. type: object
  13337. regexp:
  13338. description: |-
  13339. Used to rewrite with regular expressions.
  13340. The resulting key will be the output of a regexp.ReplaceAll operation.
  13341. properties:
  13342. source:
  13343. description: Used to define the regular expression of a re.Compiler.
  13344. type: string
  13345. target:
  13346. description: Used to define the target pattern of a ReplaceAll operation.
  13347. type: string
  13348. required:
  13349. - source
  13350. - target
  13351. type: object
  13352. transform:
  13353. description: |-
  13354. Used to apply string transformation on the secrets.
  13355. The resulting key will be the output of the template applied by the operation.
  13356. properties:
  13357. template:
  13358. description: |-
  13359. Used to define the template to apply on the secret name.
  13360. `.value ` will specify the secret name in the template.
  13361. type: string
  13362. required:
  13363. - template
  13364. type: object
  13365. type: object
  13366. type: array
  13367. sourceRef:
  13368. description: |-
  13369. SourceRef points to a store or generator
  13370. which contains secret values ready to use.
  13371. Use this in combination with Extract or Find pull values out of
  13372. a specific SecretStore.
  13373. When sourceRef points to a generator Extract or Find is not supported.
  13374. The generator returns a static map of values
  13375. maxProperties: 1
  13376. minProperties: 1
  13377. properties:
  13378. generatorRef:
  13379. description: GeneratorRef points to a generator custom resource.
  13380. properties:
  13381. apiVersion:
  13382. default: generators.external-secrets.io/v1alpha1
  13383. description: Specify the apiVersion of the generator resource
  13384. type: string
  13385. kind:
  13386. description: Specify the Kind of the generator resource
  13387. enum:
  13388. - ACRAccessToken
  13389. - BeyondtrustWorkloadCredentialsDynamicSecret
  13390. - ClusterGenerator
  13391. - CloudsmithAccessToken
  13392. - ECRAuthorizationToken
  13393. - Fake
  13394. - GCRAccessToken
  13395. - GithubAccessToken
  13396. - GitlabDeployToken
  13397. - QuayAccessToken
  13398. - Password
  13399. - SSHKey
  13400. - STSSessionToken
  13401. - UUID
  13402. - VaultDynamicSecret
  13403. - Webhook
  13404. - Grafana
  13405. - MFA
  13406. type: string
  13407. name:
  13408. description: Specify the name of the generator resource
  13409. maxLength: 253
  13410. minLength: 1
  13411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13412. type: string
  13413. required:
  13414. - kind
  13415. - name
  13416. type: object
  13417. storeRef:
  13418. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13419. properties:
  13420. kind:
  13421. description: |-
  13422. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13423. Defaults to `SecretStore`
  13424. enum:
  13425. - SecretStore
  13426. - ClusterSecretStore
  13427. type: string
  13428. name:
  13429. description: Name of the SecretStore resource
  13430. maxLength: 253
  13431. minLength: 1
  13432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13433. type: string
  13434. type: object
  13435. type: object
  13436. type: object
  13437. type: array
  13438. refreshInterval:
  13439. default: 1h0m0s
  13440. description: |-
  13441. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13442. specified as Golang Duration strings.
  13443. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13444. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13445. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13446. type: string
  13447. refreshPolicy:
  13448. description: |-
  13449. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13450. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13451. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13452. No periodic updates occur if refreshInterval is 0.
  13453. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13454. enum:
  13455. - CreatedOnce
  13456. - Periodic
  13457. - OnChange
  13458. type: string
  13459. secretStoreRef:
  13460. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13461. properties:
  13462. kind:
  13463. description: |-
  13464. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13465. Defaults to `SecretStore`
  13466. enum:
  13467. - SecretStore
  13468. - ClusterSecretStore
  13469. type: string
  13470. name:
  13471. description: Name of the SecretStore resource
  13472. maxLength: 253
  13473. minLength: 1
  13474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13475. type: string
  13476. type: object
  13477. syncWindows:
  13478. description: |-
  13479. SyncWindows optionally restricts when periodic refreshes may occur.
  13480. Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
  13481. properties:
  13482. kind:
  13483. description: |-
  13484. Kind applies to every window in the list.
  13485. "allow" -- syncs are permitted only while at least one window is active;
  13486. all other times are blocked.
  13487. "deny" -- syncs are blocked while any window is active;
  13488. all other times are permitted.
  13489. enum:
  13490. - allow
  13491. - deny
  13492. type: string
  13493. windows:
  13494. description: Windows is the list of schedule+duration pairs.
  13495. items:
  13496. description: |-
  13497. ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
  13498. within a SyncWindows block.
  13499. properties:
  13500. duration:
  13501. description: |-
  13502. Duration specifies how long the window stays open after each Schedule
  13503. firing. Example: "8h".
  13504. type: string
  13505. schedule:
  13506. description: |-
  13507. Schedule is a standard 5-field cron expression evaluated in UTC, or a
  13508. named shorthand such as @daily or @every 1h. It marks the start time of
  13509. each window occurrence.
  13510. Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
  13511. minLength: 1
  13512. pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$
  13513. type: string
  13514. required:
  13515. - duration
  13516. - schedule
  13517. type: object
  13518. minItems: 1
  13519. type: array
  13520. required:
  13521. - kind
  13522. - windows
  13523. type: object
  13524. target:
  13525. default:
  13526. creationPolicy: Owner
  13527. deletionPolicy: Retain
  13528. description: |-
  13529. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13530. there can be only one target per ExternalSecret.
  13531. properties:
  13532. creationPolicy:
  13533. default: Owner
  13534. description: |-
  13535. CreationPolicy defines rules on how to create the resulting Secret.
  13536. Defaults to "Owner"
  13537. enum:
  13538. - Owner
  13539. - Orphan
  13540. - Merge
  13541. - None
  13542. type: string
  13543. deletionPolicy:
  13544. default: Retain
  13545. description: |-
  13546. DeletionPolicy defines rules on how to delete the resulting Secret.
  13547. Defaults to "Retain"
  13548. enum:
  13549. - Delete
  13550. - Merge
  13551. - Retain
  13552. type: string
  13553. immutable:
  13554. description: Immutable defines if the final secret will be immutable
  13555. type: boolean
  13556. manifest:
  13557. description: |-
  13558. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13559. When specified, ExternalSecret will create the resource type defined here
  13560. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13561. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13562. properties:
  13563. apiVersion:
  13564. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13565. minLength: 1
  13566. type: string
  13567. kind:
  13568. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13569. minLength: 1
  13570. type: string
  13571. required:
  13572. - apiVersion
  13573. - kind
  13574. type: object
  13575. name:
  13576. description: |-
  13577. The name of the Secret resource to be managed.
  13578. Defaults to the .metadata.name of the ExternalSecret resource
  13579. maxLength: 253
  13580. minLength: 1
  13581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13582. type: string
  13583. template:
  13584. description: Template defines a blueprint for the created Secret resource.
  13585. properties:
  13586. data:
  13587. additionalProperties:
  13588. type: string
  13589. type: object
  13590. engineVersion:
  13591. default: v2
  13592. description: |-
  13593. EngineVersion specifies the template engine version
  13594. that should be used to compile/execute the
  13595. template specified in .data and .templateFrom[].
  13596. enum:
  13597. - v2
  13598. type: string
  13599. mergePolicy:
  13600. default: Replace
  13601. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13602. enum:
  13603. - Replace
  13604. - Merge
  13605. type: string
  13606. metadata:
  13607. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13608. properties:
  13609. annotations:
  13610. additionalProperties:
  13611. type: string
  13612. type: object
  13613. finalizers:
  13614. items:
  13615. type: string
  13616. type: array
  13617. labels:
  13618. additionalProperties:
  13619. type: string
  13620. type: object
  13621. type: object
  13622. templateFrom:
  13623. items:
  13624. description: |-
  13625. TemplateFrom specifies a source for templates.
  13626. Each item in the list can either reference a ConfigMap or a Secret resource.
  13627. properties:
  13628. configMap:
  13629. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13630. properties:
  13631. items:
  13632. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13633. items:
  13634. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13635. properties:
  13636. key:
  13637. description: A key in the ConfigMap/Secret
  13638. maxLength: 253
  13639. minLength: 1
  13640. pattern: ^[-._a-zA-Z0-9]+$
  13641. type: string
  13642. templateAs:
  13643. default: Values
  13644. description: TemplateScope specifies how the template keys should be interpreted.
  13645. enum:
  13646. - Values
  13647. - KeysAndValues
  13648. type: string
  13649. required:
  13650. - key
  13651. type: object
  13652. type: array
  13653. name:
  13654. description: The name of the ConfigMap/Secret resource
  13655. maxLength: 253
  13656. minLength: 1
  13657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13658. type: string
  13659. required:
  13660. - items
  13661. - name
  13662. type: object
  13663. literal:
  13664. type: string
  13665. secret:
  13666. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13667. properties:
  13668. items:
  13669. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13670. items:
  13671. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13672. properties:
  13673. key:
  13674. description: A key in the ConfigMap/Secret
  13675. maxLength: 253
  13676. minLength: 1
  13677. pattern: ^[-._a-zA-Z0-9]+$
  13678. type: string
  13679. templateAs:
  13680. default: Values
  13681. description: TemplateScope specifies how the template keys should be interpreted.
  13682. enum:
  13683. - Values
  13684. - KeysAndValues
  13685. type: string
  13686. required:
  13687. - key
  13688. type: object
  13689. type: array
  13690. name:
  13691. description: The name of the ConfigMap/Secret resource
  13692. maxLength: 253
  13693. minLength: 1
  13694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13695. type: string
  13696. required:
  13697. - items
  13698. - name
  13699. type: object
  13700. target:
  13701. default: Data
  13702. description: |-
  13703. Target specifies where to place the template result.
  13704. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13705. For custom resources (when spec.target.manifest is set), this supports
  13706. nested paths like "spec.database.config" or "data".
  13707. type: string
  13708. valuesDecodingStrategy:
  13709. default: None
  13710. description: Used to define a decoding Strategy for the rendered template values.
  13711. enum:
  13712. - Auto
  13713. - Base64
  13714. - Base64URL
  13715. - None
  13716. type: string
  13717. type: object
  13718. type: array
  13719. type:
  13720. type: string
  13721. type: object
  13722. type: object
  13723. type: object
  13724. status:
  13725. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13726. properties:
  13727. binding:
  13728. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13729. properties:
  13730. name:
  13731. default: ""
  13732. description: |-
  13733. Name of the referent.
  13734. This field is effectively required, but due to backwards compatibility is
  13735. allowed to be empty. Instances of this type with an empty value here are
  13736. almost certainly wrong.
  13737. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13738. type: string
  13739. type: object
  13740. x-kubernetes-map-type: atomic
  13741. conditions:
  13742. items:
  13743. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13744. properties:
  13745. lastTransitionTime:
  13746. format: date-time
  13747. type: string
  13748. message:
  13749. type: string
  13750. reason:
  13751. type: string
  13752. status:
  13753. type: string
  13754. type:
  13755. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13756. enum:
  13757. - Ready
  13758. - Deleted
  13759. type: string
  13760. required:
  13761. - status
  13762. - type
  13763. type: object
  13764. type: array
  13765. refreshTime:
  13766. description: |-
  13767. refreshTime is the time and date the external secret was fetched and
  13768. the target secret updated
  13769. format: date-time
  13770. nullable: true
  13771. type: string
  13772. syncedResourceVersion:
  13773. description: SyncedResourceVersion keeps track of the last synced version
  13774. type: string
  13775. type: object
  13776. type: object
  13777. selectableFields:
  13778. - jsonPath: .spec.secretStoreRef.name
  13779. - jsonPath: .spec.secretStoreRef.kind
  13780. - jsonPath: .spec.target.name
  13781. - jsonPath: .spec.refreshInterval
  13782. served: true
  13783. storage: true
  13784. subresources:
  13785. status: {}
  13786. - additionalPrinterColumns:
  13787. - jsonPath: .spec.secretStoreRef.kind
  13788. name: StoreType
  13789. type: string
  13790. - jsonPath: .spec.secretStoreRef.name
  13791. name: Store
  13792. type: string
  13793. - jsonPath: .spec.refreshInterval
  13794. name: Refresh Interval
  13795. type: string
  13796. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13797. name: Status
  13798. type: string
  13799. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13800. name: Ready
  13801. type: string
  13802. - jsonPath: .status.refreshTime
  13803. name: Last Sync
  13804. type: date
  13805. deprecated: true
  13806. name: v1beta1
  13807. schema:
  13808. openAPIV3Schema:
  13809. description: ExternalSecret is the schema for the external-secrets API.
  13810. properties:
  13811. apiVersion:
  13812. description: |-
  13813. APIVersion defines the versioned schema of this representation of an object.
  13814. Servers should convert recognized schemas to the latest internal value, and
  13815. may reject unrecognized values.
  13816. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13817. type: string
  13818. kind:
  13819. description: |-
  13820. Kind is a string value representing the REST resource this object represents.
  13821. Servers may infer this from the endpoint the client submits requests to.
  13822. Cannot be updated.
  13823. In CamelCase.
  13824. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13825. type: string
  13826. metadata:
  13827. type: object
  13828. spec:
  13829. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13830. properties:
  13831. data:
  13832. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13833. items:
  13834. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13835. properties:
  13836. remoteRef:
  13837. description: |-
  13838. RemoteRef points to the remote secret and defines
  13839. which secret (version/property/..) to fetch.
  13840. properties:
  13841. conversionStrategy:
  13842. default: Default
  13843. description: Used to define a conversion Strategy
  13844. enum:
  13845. - Default
  13846. - Unicode
  13847. type: string
  13848. decodingStrategy:
  13849. default: None
  13850. description: Used to define a decoding Strategy
  13851. enum:
  13852. - Auto
  13853. - Base64
  13854. - Base64URL
  13855. - None
  13856. type: string
  13857. key:
  13858. description: Key is the key used in the Provider, mandatory
  13859. type: string
  13860. metadataPolicy:
  13861. default: None
  13862. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13863. enum:
  13864. - None
  13865. - Fetch
  13866. type: string
  13867. property:
  13868. description: Used to select a specific property of the Provider value (if a map), if supported
  13869. type: string
  13870. version:
  13871. description: Used to select a specific version of the Provider value, if supported
  13872. type: string
  13873. required:
  13874. - key
  13875. type: object
  13876. secretKey:
  13877. description: The key in the Kubernetes Secret to store the value.
  13878. maxLength: 253
  13879. minLength: 1
  13880. pattern: ^[-._a-zA-Z0-9]+$
  13881. type: string
  13882. sourceRef:
  13883. description: |-
  13884. SourceRef allows you to override the source
  13885. from which the value will be pulled.
  13886. maxProperties: 1
  13887. minProperties: 1
  13888. properties:
  13889. generatorRef:
  13890. description: |-
  13891. GeneratorRef points to a generator custom resource.
  13892. Deprecated: The generatorRef is not implemented in .data[].
  13893. this will be removed with v1.
  13894. properties:
  13895. apiVersion:
  13896. default: generators.external-secrets.io/v1alpha1
  13897. description: Specify the apiVersion of the generator resource
  13898. type: string
  13899. kind:
  13900. description: Specify the Kind of the generator resource
  13901. enum:
  13902. - ACRAccessToken
  13903. - ClusterGenerator
  13904. - ECRAuthorizationToken
  13905. - Fake
  13906. - GCRAccessToken
  13907. - GithubAccessToken
  13908. - QuayAccessToken
  13909. - Password
  13910. - SSHKey
  13911. - STSSessionToken
  13912. - UUID
  13913. - VaultDynamicSecret
  13914. - Webhook
  13915. - Grafana
  13916. type: string
  13917. name:
  13918. description: Specify the name of the generator resource
  13919. maxLength: 253
  13920. minLength: 1
  13921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13922. type: string
  13923. required:
  13924. - kind
  13925. - name
  13926. type: object
  13927. storeRef:
  13928. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13929. properties:
  13930. kind:
  13931. description: |-
  13932. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13933. Defaults to `SecretStore`
  13934. enum:
  13935. - SecretStore
  13936. - ClusterSecretStore
  13937. type: string
  13938. name:
  13939. description: Name of the SecretStore resource
  13940. maxLength: 253
  13941. minLength: 1
  13942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13943. type: string
  13944. type: object
  13945. type: object
  13946. required:
  13947. - remoteRef
  13948. - secretKey
  13949. type: object
  13950. type: array
  13951. dataFrom:
  13952. description: |-
  13953. DataFrom is used to fetch all properties from a specific Provider data
  13954. If multiple entries are specified, the Secret keys are merged in the specified order
  13955. items:
  13956. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13957. properties:
  13958. extract:
  13959. description: |-
  13960. Used to extract multiple key/value pairs from one secret
  13961. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13962. properties:
  13963. conversionStrategy:
  13964. default: Default
  13965. description: Used to define a conversion Strategy
  13966. enum:
  13967. - Default
  13968. - Unicode
  13969. type: string
  13970. decodingStrategy:
  13971. default: None
  13972. description: Used to define a decoding Strategy
  13973. enum:
  13974. - Auto
  13975. - Base64
  13976. - Base64URL
  13977. - None
  13978. type: string
  13979. key:
  13980. description: Key is the key used in the Provider, mandatory
  13981. type: string
  13982. metadataPolicy:
  13983. default: None
  13984. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13985. enum:
  13986. - None
  13987. - Fetch
  13988. type: string
  13989. property:
  13990. description: Used to select a specific property of the Provider value (if a map), if supported
  13991. type: string
  13992. version:
  13993. description: Used to select a specific version of the Provider value, if supported
  13994. type: string
  13995. required:
  13996. - key
  13997. type: object
  13998. find:
  13999. description: |-
  14000. Used to find secrets based on tags or regular expressions
  14001. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  14002. properties:
  14003. conversionStrategy:
  14004. default: Default
  14005. description: Used to define a conversion Strategy
  14006. enum:
  14007. - Default
  14008. - Unicode
  14009. type: string
  14010. decodingStrategy:
  14011. default: None
  14012. description: Used to define a decoding Strategy
  14013. enum:
  14014. - Auto
  14015. - Base64
  14016. - Base64URL
  14017. - None
  14018. type: string
  14019. name:
  14020. description: Finds secrets based on the name.
  14021. properties:
  14022. regexp:
  14023. description: Finds secrets base
  14024. type: string
  14025. type: object
  14026. path:
  14027. description: A root path to start the find operations.
  14028. type: string
  14029. tags:
  14030. additionalProperties:
  14031. type: string
  14032. description: Find secrets based on tags.
  14033. type: object
  14034. type: object
  14035. rewrite:
  14036. description: |-
  14037. Used to rewrite secret Keys after getting them from the secret Provider
  14038. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  14039. items:
  14040. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  14041. maxProperties: 1
  14042. minProperties: 1
  14043. properties:
  14044. regexp:
  14045. description: |-
  14046. Used to rewrite with regular expressions.
  14047. The resulting key will be the output of a regexp.ReplaceAll operation.
  14048. properties:
  14049. source:
  14050. description: Used to define the regular expression of a re.Compiler.
  14051. type: string
  14052. target:
  14053. description: Used to define the target pattern of a ReplaceAll operation.
  14054. type: string
  14055. required:
  14056. - source
  14057. - target
  14058. type: object
  14059. transform:
  14060. description: |-
  14061. Used to apply string transformation on the secrets.
  14062. The resulting key will be the output of the template applied by the operation.
  14063. properties:
  14064. template:
  14065. description: |-
  14066. Used to define the template to apply on the secret name.
  14067. `.value ` will specify the secret name in the template.
  14068. type: string
  14069. required:
  14070. - template
  14071. type: object
  14072. type: object
  14073. type: array
  14074. sourceRef:
  14075. description: |-
  14076. SourceRef points to a store or generator
  14077. which contains secret values ready to use.
  14078. Use this in combination with Extract or Find pull values out of
  14079. a specific SecretStore.
  14080. When sourceRef points to a generator Extract or Find is not supported.
  14081. The generator returns a static map of values
  14082. maxProperties: 1
  14083. minProperties: 1
  14084. properties:
  14085. generatorRef:
  14086. description: GeneratorRef points to a generator custom resource.
  14087. properties:
  14088. apiVersion:
  14089. default: generators.external-secrets.io/v1alpha1
  14090. description: Specify the apiVersion of the generator resource
  14091. type: string
  14092. kind:
  14093. description: Specify the Kind of the generator resource
  14094. enum:
  14095. - ACRAccessToken
  14096. - ClusterGenerator
  14097. - ECRAuthorizationToken
  14098. - Fake
  14099. - GCRAccessToken
  14100. - GithubAccessToken
  14101. - QuayAccessToken
  14102. - Password
  14103. - SSHKey
  14104. - STSSessionToken
  14105. - UUID
  14106. - VaultDynamicSecret
  14107. - Webhook
  14108. - Grafana
  14109. type: string
  14110. name:
  14111. description: Specify the name of the generator resource
  14112. maxLength: 253
  14113. minLength: 1
  14114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14115. type: string
  14116. required:
  14117. - kind
  14118. - name
  14119. type: object
  14120. storeRef:
  14121. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14122. properties:
  14123. kind:
  14124. description: |-
  14125. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14126. Defaults to `SecretStore`
  14127. enum:
  14128. - SecretStore
  14129. - ClusterSecretStore
  14130. type: string
  14131. name:
  14132. description: Name of the SecretStore resource
  14133. maxLength: 253
  14134. minLength: 1
  14135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14136. type: string
  14137. type: object
  14138. type: object
  14139. type: object
  14140. type: array
  14141. refreshInterval:
  14142. default: 1h0m0s
  14143. description: |-
  14144. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  14145. specified as Golang Duration strings.
  14146. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  14147. Example values: "1h0m0s", "2h30m0s", "10m0s"
  14148. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  14149. type: string
  14150. refreshPolicy:
  14151. description: |-
  14152. RefreshPolicy determines how the ExternalSecret should be refreshed:
  14153. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  14154. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  14155. No periodic updates occur if refreshInterval is 0.
  14156. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  14157. enum:
  14158. - CreatedOnce
  14159. - Periodic
  14160. - OnChange
  14161. type: string
  14162. secretStoreRef:
  14163. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14164. properties:
  14165. kind:
  14166. description: |-
  14167. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14168. Defaults to `SecretStore`
  14169. enum:
  14170. - SecretStore
  14171. - ClusterSecretStore
  14172. type: string
  14173. name:
  14174. description: Name of the SecretStore resource
  14175. maxLength: 253
  14176. minLength: 1
  14177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14178. type: string
  14179. type: object
  14180. target:
  14181. default:
  14182. creationPolicy: Owner
  14183. deletionPolicy: Retain
  14184. description: |-
  14185. ExternalSecretTarget defines the Kubernetes Secret to be created
  14186. There can be only one target per ExternalSecret.
  14187. properties:
  14188. creationPolicy:
  14189. default: Owner
  14190. description: |-
  14191. CreationPolicy defines rules on how to create the resulting Secret.
  14192. Defaults to "Owner"
  14193. enum:
  14194. - Owner
  14195. - Orphan
  14196. - Merge
  14197. - None
  14198. type: string
  14199. deletionPolicy:
  14200. default: Retain
  14201. description: |-
  14202. DeletionPolicy defines rules on how to delete the resulting Secret.
  14203. Defaults to "Retain"
  14204. enum:
  14205. - Delete
  14206. - Merge
  14207. - Retain
  14208. type: string
  14209. immutable:
  14210. description: Immutable defines if the final secret will be immutable
  14211. type: boolean
  14212. name:
  14213. description: |-
  14214. The name of the Secret resource to be managed.
  14215. Defaults to the .metadata.name of the ExternalSecret resource
  14216. maxLength: 253
  14217. minLength: 1
  14218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14219. type: string
  14220. template:
  14221. description: Template defines a blueprint for the created Secret resource.
  14222. properties:
  14223. data:
  14224. additionalProperties:
  14225. type: string
  14226. type: object
  14227. engineVersion:
  14228. default: v2
  14229. description: |-
  14230. EngineVersion specifies the template engine version
  14231. that should be used to compile/execute the
  14232. template specified in .data and .templateFrom[].
  14233. enum:
  14234. - v2
  14235. type: string
  14236. mergePolicy:
  14237. default: Replace
  14238. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  14239. enum:
  14240. - Replace
  14241. - Merge
  14242. type: string
  14243. metadata:
  14244. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14245. properties:
  14246. annotations:
  14247. additionalProperties:
  14248. type: string
  14249. type: object
  14250. labels:
  14251. additionalProperties:
  14252. type: string
  14253. type: object
  14254. type: object
  14255. templateFrom:
  14256. items:
  14257. description: TemplateFrom defines a source for template data.
  14258. properties:
  14259. configMap:
  14260. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14261. properties:
  14262. items:
  14263. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14264. items:
  14265. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14266. properties:
  14267. key:
  14268. description: A key in the ConfigMap/Secret
  14269. maxLength: 253
  14270. minLength: 1
  14271. pattern: ^[-._a-zA-Z0-9]+$
  14272. type: string
  14273. templateAs:
  14274. default: Values
  14275. description: TemplateScope defines the scope of the template when processing template data.
  14276. enum:
  14277. - Values
  14278. - KeysAndValues
  14279. type: string
  14280. required:
  14281. - key
  14282. type: object
  14283. type: array
  14284. name:
  14285. description: The name of the ConfigMap/Secret resource
  14286. maxLength: 253
  14287. minLength: 1
  14288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14289. type: string
  14290. required:
  14291. - items
  14292. - name
  14293. type: object
  14294. literal:
  14295. type: string
  14296. secret:
  14297. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14298. properties:
  14299. items:
  14300. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14301. items:
  14302. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14303. properties:
  14304. key:
  14305. description: A key in the ConfigMap/Secret
  14306. maxLength: 253
  14307. minLength: 1
  14308. pattern: ^[-._a-zA-Z0-9]+$
  14309. type: string
  14310. templateAs:
  14311. default: Values
  14312. description: TemplateScope defines the scope of the template when processing template data.
  14313. enum:
  14314. - Values
  14315. - KeysAndValues
  14316. type: string
  14317. required:
  14318. - key
  14319. type: object
  14320. type: array
  14321. name:
  14322. description: The name of the ConfigMap/Secret resource
  14323. maxLength: 253
  14324. minLength: 1
  14325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14326. type: string
  14327. required:
  14328. - items
  14329. - name
  14330. type: object
  14331. target:
  14332. default: Data
  14333. description: TemplateTarget defines the target field where the template result will be stored.
  14334. enum:
  14335. - Data
  14336. - Annotations
  14337. - Labels
  14338. type: string
  14339. type: object
  14340. type: array
  14341. type:
  14342. type: string
  14343. type: object
  14344. type: object
  14345. type: object
  14346. status:
  14347. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  14348. properties:
  14349. binding:
  14350. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  14351. properties:
  14352. name:
  14353. default: ""
  14354. description: |-
  14355. Name of the referent.
  14356. This field is effectively required, but due to backwards compatibility is
  14357. allowed to be empty. Instances of this type with an empty value here are
  14358. almost certainly wrong.
  14359. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  14360. type: string
  14361. type: object
  14362. x-kubernetes-map-type: atomic
  14363. conditions:
  14364. items:
  14365. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  14366. properties:
  14367. lastTransitionTime:
  14368. format: date-time
  14369. type: string
  14370. message:
  14371. type: string
  14372. reason:
  14373. type: string
  14374. status:
  14375. type: string
  14376. type:
  14377. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  14378. type: string
  14379. required:
  14380. - status
  14381. - type
  14382. type: object
  14383. type: array
  14384. refreshTime:
  14385. description: |-
  14386. refreshTime is the time and date the external secret was fetched and
  14387. the target secret updated
  14388. format: date-time
  14389. nullable: true
  14390. type: string
  14391. syncedResourceVersion:
  14392. description: SyncedResourceVersion keeps track of the last synced version
  14393. type: string
  14394. type: object
  14395. type: object
  14396. served: false
  14397. storage: false
  14398. subresources:
  14399. status: {}
  14400. ---
  14401. apiVersion: apiextensions.k8s.io/v1
  14402. kind: CustomResourceDefinition
  14403. metadata:
  14404. annotations:
  14405. controller-gen.kubebuilder.io/version: v0.19.0
  14406. labels:
  14407. external-secrets.io/component: controller
  14408. name: pushsecrets.external-secrets.io
  14409. spec:
  14410. group: external-secrets.io
  14411. names:
  14412. categories:
  14413. - external-secrets
  14414. kind: PushSecret
  14415. listKind: PushSecretList
  14416. plural: pushsecrets
  14417. shortNames:
  14418. - ps
  14419. singular: pushsecret
  14420. scope: Namespaced
  14421. versions:
  14422. - additionalPrinterColumns:
  14423. - jsonPath: .metadata.creationTimestamp
  14424. name: AGE
  14425. type: date
  14426. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14427. name: Status
  14428. type: string
  14429. - jsonPath: .status.refreshTime
  14430. name: Last Sync
  14431. type: date
  14432. name: v1alpha1
  14433. schema:
  14434. openAPIV3Schema:
  14435. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  14436. properties:
  14437. apiVersion:
  14438. description: |-
  14439. APIVersion defines the versioned schema of this representation of an object.
  14440. Servers should convert recognized schemas to the latest internal value, and
  14441. may reject unrecognized values.
  14442. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14443. type: string
  14444. kind:
  14445. description: |-
  14446. Kind is a string value representing the REST resource this object represents.
  14447. Servers may infer this from the endpoint the client submits requests to.
  14448. Cannot be updated.
  14449. In CamelCase.
  14450. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14451. type: string
  14452. metadata:
  14453. type: object
  14454. spec:
  14455. description: PushSecretSpec configures the behavior of the PushSecret.
  14456. properties:
  14457. data:
  14458. description: Secret Data that should be pushed to providers
  14459. items:
  14460. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14461. properties:
  14462. conversionStrategy:
  14463. default: None
  14464. description: Used to define a conversion Strategy for the secret keys
  14465. enum:
  14466. - None
  14467. - ReverseUnicode
  14468. type: string
  14469. match:
  14470. description: Match a given Secret Key to be pushed to the provider.
  14471. properties:
  14472. remoteRef:
  14473. description: Remote Refs to push to providers.
  14474. properties:
  14475. property:
  14476. description: Name of the property in the resulting secret
  14477. type: string
  14478. remoteKey:
  14479. description: Name of the resulting provider secret.
  14480. type: string
  14481. required:
  14482. - remoteKey
  14483. type: object
  14484. secretKey:
  14485. description: Secret Key to be pushed
  14486. type: string
  14487. required:
  14488. - remoteRef
  14489. type: object
  14490. metadata:
  14491. description: |-
  14492. Metadata is metadata attached to the secret.
  14493. The structure of metadata is provider specific, please look it up in the provider documentation.
  14494. x-kubernetes-preserve-unknown-fields: true
  14495. required:
  14496. - match
  14497. type: object
  14498. type: array
  14499. dataTo:
  14500. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14501. items:
  14502. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14503. properties:
  14504. conversionStrategy:
  14505. default: None
  14506. description: Used to define a conversion Strategy for the secret keys
  14507. enum:
  14508. - None
  14509. - ReverseUnicode
  14510. type: string
  14511. match:
  14512. description: |-
  14513. Match pattern for selecting keys from the source Secret.
  14514. If not specified, all keys are selected.
  14515. properties:
  14516. regexp:
  14517. description: |-
  14518. Regexp matches keys by regular expression.
  14519. If not specified, all keys are matched.
  14520. type: string
  14521. type: object
  14522. metadata:
  14523. description: |-
  14524. Metadata is metadata attached to the secret.
  14525. The structure of metadata is provider specific, please look it up in the provider documentation.
  14526. x-kubernetes-preserve-unknown-fields: true
  14527. remoteKey:
  14528. description: |-
  14529. RemoteKey is the name of the single provider secret that will receive ALL
  14530. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14531. When set, per-key expansion is skipped and a single push is performed.
  14532. The provider's store prefix (if any) is still prepended to this value.
  14533. When not set, each matched key is pushed as its own individual provider secret.
  14534. type: string
  14535. rewrite:
  14536. description: |-
  14537. Rewrite operations to transform keys before pushing to the provider.
  14538. Operations are applied sequentially.
  14539. items:
  14540. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14541. properties:
  14542. regexp:
  14543. description: Used to rewrite with regular expressions.
  14544. properties:
  14545. source:
  14546. description: Used to define the regular expression of a re.Compiler.
  14547. type: string
  14548. target:
  14549. description: Used to define the target pattern of a ReplaceAll operation.
  14550. type: string
  14551. required:
  14552. - source
  14553. - target
  14554. type: object
  14555. transform:
  14556. description: Used to apply string transformation on the secrets.
  14557. properties:
  14558. template:
  14559. description: |-
  14560. Used to define the template to apply on the secret name.
  14561. `.value ` will specify the secret name in the template.
  14562. type: string
  14563. required:
  14564. - template
  14565. type: object
  14566. type: object
  14567. x-kubernetes-validations:
  14568. - message: exactly one of regexp or transform must be set
  14569. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14570. type: array
  14571. storeRef:
  14572. description: StoreRef specifies which SecretStore to push to. Required.
  14573. properties:
  14574. kind:
  14575. default: SecretStore
  14576. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14577. enum:
  14578. - SecretStore
  14579. - ClusterSecretStore
  14580. type: string
  14581. labelSelector:
  14582. description: Optionally, sync to secret stores with label selector
  14583. properties:
  14584. matchExpressions:
  14585. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14586. items:
  14587. description: |-
  14588. A label selector requirement is a selector that contains values, a key, and an operator that
  14589. relates the key and values.
  14590. properties:
  14591. key:
  14592. description: key is the label key that the selector applies to.
  14593. type: string
  14594. operator:
  14595. description: |-
  14596. operator represents a key's relationship to a set of values.
  14597. Valid operators are In, NotIn, Exists and DoesNotExist.
  14598. type: string
  14599. values:
  14600. description: |-
  14601. values is an array of string values. If the operator is In or NotIn,
  14602. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14603. the values array must be empty. This array is replaced during a strategic
  14604. merge patch.
  14605. items:
  14606. type: string
  14607. type: array
  14608. x-kubernetes-list-type: atomic
  14609. required:
  14610. - key
  14611. - operator
  14612. type: object
  14613. type: array
  14614. x-kubernetes-list-type: atomic
  14615. matchLabels:
  14616. additionalProperties:
  14617. type: string
  14618. description: |-
  14619. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14620. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14621. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14622. type: object
  14623. type: object
  14624. x-kubernetes-map-type: atomic
  14625. name:
  14626. description: Optionally, sync to the SecretStore of the given name
  14627. maxLength: 253
  14628. minLength: 1
  14629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14630. type: string
  14631. type: object
  14632. type: object
  14633. x-kubernetes-validations:
  14634. - message: storeRef must specify either name or labelSelector
  14635. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14636. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14637. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14638. type: array
  14639. deletionPolicy:
  14640. default: None
  14641. description: Deletion Policy to handle Secrets in the provider.
  14642. enum:
  14643. - Delete
  14644. - None
  14645. type: string
  14646. refreshInterval:
  14647. default: 1h0m0s
  14648. description: The Interval to which External Secrets will try to push a secret definition
  14649. type: string
  14650. secretStoreRefs:
  14651. items:
  14652. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14653. properties:
  14654. kind:
  14655. default: SecretStore
  14656. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14657. enum:
  14658. - SecretStore
  14659. - ClusterSecretStore
  14660. type: string
  14661. labelSelector:
  14662. description: Optionally, sync to secret stores with label selector
  14663. properties:
  14664. matchExpressions:
  14665. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14666. items:
  14667. description: |-
  14668. A label selector requirement is a selector that contains values, a key, and an operator that
  14669. relates the key and values.
  14670. properties:
  14671. key:
  14672. description: key is the label key that the selector applies to.
  14673. type: string
  14674. operator:
  14675. description: |-
  14676. operator represents a key's relationship to a set of values.
  14677. Valid operators are In, NotIn, Exists and DoesNotExist.
  14678. type: string
  14679. values:
  14680. description: |-
  14681. values is an array of string values. If the operator is In or NotIn,
  14682. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14683. the values array must be empty. This array is replaced during a strategic
  14684. merge patch.
  14685. items:
  14686. type: string
  14687. type: array
  14688. x-kubernetes-list-type: atomic
  14689. required:
  14690. - key
  14691. - operator
  14692. type: object
  14693. type: array
  14694. x-kubernetes-list-type: atomic
  14695. matchLabels:
  14696. additionalProperties:
  14697. type: string
  14698. description: |-
  14699. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14700. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14701. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14702. type: object
  14703. type: object
  14704. x-kubernetes-map-type: atomic
  14705. name:
  14706. description: Optionally, sync to the SecretStore of the given name
  14707. maxLength: 253
  14708. minLength: 1
  14709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14710. type: string
  14711. type: object
  14712. type: array
  14713. selector:
  14714. description: The Secret Selector (k8s source) for the Push Secret
  14715. maxProperties: 1
  14716. minProperties: 1
  14717. properties:
  14718. generatorRef:
  14719. description: Point to a generator to create a Secret.
  14720. properties:
  14721. apiVersion:
  14722. default: generators.external-secrets.io/v1alpha1
  14723. description: Specify the apiVersion of the generator resource
  14724. type: string
  14725. kind:
  14726. description: Specify the Kind of the generator resource
  14727. enum:
  14728. - ACRAccessToken
  14729. - BeyondtrustWorkloadCredentialsDynamicSecret
  14730. - ClusterGenerator
  14731. - CloudsmithAccessToken
  14732. - ECRAuthorizationToken
  14733. - Fake
  14734. - GCRAccessToken
  14735. - GithubAccessToken
  14736. - GitlabDeployToken
  14737. - QuayAccessToken
  14738. - Password
  14739. - SSHKey
  14740. - STSSessionToken
  14741. - UUID
  14742. - VaultDynamicSecret
  14743. - Webhook
  14744. - Grafana
  14745. - MFA
  14746. type: string
  14747. name:
  14748. description: Specify the name of the generator resource
  14749. maxLength: 253
  14750. minLength: 1
  14751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14752. type: string
  14753. required:
  14754. - kind
  14755. - name
  14756. type: object
  14757. secret:
  14758. description: Select a Secret to Push.
  14759. properties:
  14760. name:
  14761. description: |-
  14762. Name of the Secret.
  14763. The Secret must exist in the same namespace as the PushSecret manifest.
  14764. maxLength: 253
  14765. minLength: 1
  14766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14767. type: string
  14768. selector:
  14769. description: Selector chooses secrets using a labelSelector.
  14770. properties:
  14771. matchExpressions:
  14772. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14773. items:
  14774. description: |-
  14775. A label selector requirement is a selector that contains values, a key, and an operator that
  14776. relates the key and values.
  14777. properties:
  14778. key:
  14779. description: key is the label key that the selector applies to.
  14780. type: string
  14781. operator:
  14782. description: |-
  14783. operator represents a key's relationship to a set of values.
  14784. Valid operators are In, NotIn, Exists and DoesNotExist.
  14785. type: string
  14786. values:
  14787. description: |-
  14788. values is an array of string values. If the operator is In or NotIn,
  14789. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14790. the values array must be empty. This array is replaced during a strategic
  14791. merge patch.
  14792. items:
  14793. type: string
  14794. type: array
  14795. x-kubernetes-list-type: atomic
  14796. required:
  14797. - key
  14798. - operator
  14799. type: object
  14800. type: array
  14801. x-kubernetes-list-type: atomic
  14802. matchLabels:
  14803. additionalProperties:
  14804. type: string
  14805. description: |-
  14806. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14807. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14808. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14809. type: object
  14810. type: object
  14811. x-kubernetes-map-type: atomic
  14812. type: object
  14813. type: object
  14814. template:
  14815. description: Template defines a blueprint for the created Secret resource.
  14816. properties:
  14817. data:
  14818. additionalProperties:
  14819. type: string
  14820. type: object
  14821. engineVersion:
  14822. default: v2
  14823. description: |-
  14824. EngineVersion specifies the template engine version
  14825. that should be used to compile/execute the
  14826. template specified in .data and .templateFrom[].
  14827. enum:
  14828. - v2
  14829. type: string
  14830. mergePolicy:
  14831. default: Replace
  14832. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14833. enum:
  14834. - Replace
  14835. - Merge
  14836. type: string
  14837. metadata:
  14838. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14839. properties:
  14840. annotations:
  14841. additionalProperties:
  14842. type: string
  14843. type: object
  14844. finalizers:
  14845. items:
  14846. type: string
  14847. type: array
  14848. labels:
  14849. additionalProperties:
  14850. type: string
  14851. type: object
  14852. type: object
  14853. templateFrom:
  14854. items:
  14855. description: |-
  14856. TemplateFrom specifies a source for templates.
  14857. Each item in the list can either reference a ConfigMap or a Secret resource.
  14858. properties:
  14859. configMap:
  14860. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14861. properties:
  14862. items:
  14863. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14864. items:
  14865. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14866. properties:
  14867. key:
  14868. description: A key in the ConfigMap/Secret
  14869. maxLength: 253
  14870. minLength: 1
  14871. pattern: ^[-._a-zA-Z0-9]+$
  14872. type: string
  14873. templateAs:
  14874. default: Values
  14875. description: TemplateScope specifies how the template keys should be interpreted.
  14876. enum:
  14877. - Values
  14878. - KeysAndValues
  14879. type: string
  14880. required:
  14881. - key
  14882. type: object
  14883. type: array
  14884. name:
  14885. description: The name of the ConfigMap/Secret resource
  14886. maxLength: 253
  14887. minLength: 1
  14888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14889. type: string
  14890. required:
  14891. - items
  14892. - name
  14893. type: object
  14894. literal:
  14895. type: string
  14896. secret:
  14897. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14898. properties:
  14899. items:
  14900. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14901. items:
  14902. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14903. properties:
  14904. key:
  14905. description: A key in the ConfigMap/Secret
  14906. maxLength: 253
  14907. minLength: 1
  14908. pattern: ^[-._a-zA-Z0-9]+$
  14909. type: string
  14910. templateAs:
  14911. default: Values
  14912. description: TemplateScope specifies how the template keys should be interpreted.
  14913. enum:
  14914. - Values
  14915. - KeysAndValues
  14916. type: string
  14917. required:
  14918. - key
  14919. type: object
  14920. type: array
  14921. name:
  14922. description: The name of the ConfigMap/Secret resource
  14923. maxLength: 253
  14924. minLength: 1
  14925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14926. type: string
  14927. required:
  14928. - items
  14929. - name
  14930. type: object
  14931. target:
  14932. default: Data
  14933. description: |-
  14934. Target specifies where to place the template result.
  14935. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14936. For custom resources (when spec.target.manifest is set), this supports
  14937. nested paths like "spec.database.config" or "data".
  14938. type: string
  14939. valuesDecodingStrategy:
  14940. default: None
  14941. description: Used to define a decoding Strategy for the rendered template values.
  14942. enum:
  14943. - Auto
  14944. - Base64
  14945. - Base64URL
  14946. - None
  14947. type: string
  14948. type: object
  14949. type: array
  14950. type:
  14951. type: string
  14952. type: object
  14953. updatePolicy:
  14954. default: Replace
  14955. description: UpdatePolicy to handle Secrets in the provider.
  14956. enum:
  14957. - Replace
  14958. - IfNotExists
  14959. type: string
  14960. required:
  14961. - secretStoreRefs
  14962. - selector
  14963. type: object
  14964. status:
  14965. description: PushSecretStatus indicates the history of the status of PushSecret.
  14966. properties:
  14967. conditions:
  14968. items:
  14969. description: PushSecretStatusCondition indicates the status of the PushSecret.
  14970. properties:
  14971. lastTransitionTime:
  14972. format: date-time
  14973. type: string
  14974. message:
  14975. type: string
  14976. reason:
  14977. type: string
  14978. status:
  14979. type: string
  14980. type:
  14981. description: PushSecretConditionType indicates the condition of the PushSecret.
  14982. type: string
  14983. required:
  14984. - status
  14985. - type
  14986. type: object
  14987. type: array
  14988. refreshTime:
  14989. description: |-
  14990. refreshTime is the time and date the external secret was fetched and
  14991. the target secret updated
  14992. format: date-time
  14993. nullable: true
  14994. type: string
  14995. syncedPushSecrets:
  14996. additionalProperties:
  14997. additionalProperties:
  14998. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14999. properties:
  15000. conversionStrategy:
  15001. default: None
  15002. description: Used to define a conversion Strategy for the secret keys
  15003. enum:
  15004. - None
  15005. - ReverseUnicode
  15006. type: string
  15007. match:
  15008. description: Match a given Secret Key to be pushed to the provider.
  15009. properties:
  15010. remoteRef:
  15011. description: Remote Refs to push to providers.
  15012. properties:
  15013. property:
  15014. description: Name of the property in the resulting secret
  15015. type: string
  15016. remoteKey:
  15017. description: Name of the resulting provider secret.
  15018. type: string
  15019. required:
  15020. - remoteKey
  15021. type: object
  15022. secretKey:
  15023. description: Secret Key to be pushed
  15024. type: string
  15025. required:
  15026. - remoteRef
  15027. type: object
  15028. metadata:
  15029. description: |-
  15030. Metadata is metadata attached to the secret.
  15031. The structure of metadata is provider specific, please look it up in the provider documentation.
  15032. x-kubernetes-preserve-unknown-fields: true
  15033. required:
  15034. - match
  15035. type: object
  15036. type: object
  15037. description: |-
  15038. Synced PushSecrets, including secrets that already exist in provider.
  15039. Matches secret stores to PushSecretData that was stored to that secret store.
  15040. type: object
  15041. syncedResourceVersion:
  15042. description: SyncedResourceVersion keeps track of the last synced version.
  15043. type: string
  15044. type: object
  15045. type: object
  15046. served: true
  15047. storage: true
  15048. subresources:
  15049. status: {}
  15050. ---
  15051. apiVersion: apiextensions.k8s.io/v1
  15052. kind: CustomResourceDefinition
  15053. metadata:
  15054. annotations:
  15055. controller-gen.kubebuilder.io/version: v0.19.0
  15056. labels:
  15057. external-secrets.io/component: controller
  15058. name: secretstores.external-secrets.io
  15059. spec:
  15060. group: external-secrets.io
  15061. names:
  15062. categories:
  15063. - external-secrets
  15064. kind: SecretStore
  15065. listKind: SecretStoreList
  15066. plural: secretstores
  15067. shortNames:
  15068. - ss
  15069. singular: secretstore
  15070. scope: Namespaced
  15071. versions:
  15072. - additionalPrinterColumns:
  15073. - jsonPath: .metadata.creationTimestamp
  15074. name: AGE
  15075. type: date
  15076. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  15077. name: Status
  15078. type: string
  15079. - jsonPath: .status.capabilities
  15080. name: Capabilities
  15081. type: string
  15082. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  15083. name: Ready
  15084. type: string
  15085. name: v1
  15086. schema:
  15087. openAPIV3Schema:
  15088. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  15089. properties:
  15090. apiVersion:
  15091. description: |-
  15092. APIVersion defines the versioned schema of this representation of an object.
  15093. Servers should convert recognized schemas to the latest internal value, and
  15094. may reject unrecognized values.
  15095. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  15096. type: string
  15097. kind:
  15098. description: |-
  15099. Kind is a string value representing the REST resource this object represents.
  15100. Servers may infer this from the endpoint the client submits requests to.
  15101. Cannot be updated.
  15102. In CamelCase.
  15103. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  15104. type: string
  15105. metadata:
  15106. type: object
  15107. spec:
  15108. description: SecretStoreSpec defines the desired state of SecretStore.
  15109. properties:
  15110. conditions:
  15111. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  15112. items:
  15113. description: |-
  15114. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  15115. for a ClusterSecretStore instance.
  15116. properties:
  15117. namespaceRegexes:
  15118. description: Choose namespaces by using regex matching
  15119. items:
  15120. type: string
  15121. type: array
  15122. namespaceSelector:
  15123. description: Choose namespace using a labelSelector
  15124. properties:
  15125. matchExpressions:
  15126. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  15127. items:
  15128. description: |-
  15129. A label selector requirement is a selector that contains values, a key, and an operator that
  15130. relates the key and values.
  15131. properties:
  15132. key:
  15133. description: key is the label key that the selector applies to.
  15134. type: string
  15135. operator:
  15136. description: |-
  15137. operator represents a key's relationship to a set of values.
  15138. Valid operators are In, NotIn, Exists and DoesNotExist.
  15139. type: string
  15140. values:
  15141. description: |-
  15142. values is an array of string values. If the operator is In or NotIn,
  15143. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  15144. the values array must be empty. This array is replaced during a strategic
  15145. merge patch.
  15146. items:
  15147. type: string
  15148. type: array
  15149. x-kubernetes-list-type: atomic
  15150. required:
  15151. - key
  15152. - operator
  15153. type: object
  15154. type: array
  15155. x-kubernetes-list-type: atomic
  15156. matchLabels:
  15157. additionalProperties:
  15158. type: string
  15159. description: |-
  15160. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  15161. map is equivalent to an element of matchExpressions, whose key field is "key", the
  15162. operator is "In", and the values array contains only "value". The requirements are ANDed.
  15163. type: object
  15164. type: object
  15165. x-kubernetes-map-type: atomic
  15166. namespaces:
  15167. description: Choose namespaces by name
  15168. items:
  15169. maxLength: 63
  15170. minLength: 1
  15171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15172. type: string
  15173. type: array
  15174. type: object
  15175. type: array
  15176. controller:
  15177. description: |-
  15178. Used to select the correct ESO controller (think: ingress.ingressClassName)
  15179. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  15180. type: string
  15181. provider:
  15182. description: Used to configure the provider. Only one provider may be set
  15183. maxProperties: 1
  15184. minProperties: 1
  15185. properties:
  15186. akeyless:
  15187. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  15188. properties:
  15189. akeylessGWApiURL:
  15190. description: Akeyless GW API Url from which the secrets to be fetched from.
  15191. type: string
  15192. authSecretRef:
  15193. description: Auth configures how the operator authenticates with Akeyless.
  15194. properties:
  15195. kubernetesAuth:
  15196. description: |-
  15197. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  15198. token stored in the named Secret resource.
  15199. properties:
  15200. accessID:
  15201. description: the Akeyless Kubernetes auth-method access-id
  15202. type: string
  15203. k8sConfName:
  15204. description: Kubernetes-auth configuration name in Akeyless-Gateway
  15205. type: string
  15206. secretRef:
  15207. description: |-
  15208. Optional secret field containing a Kubernetes ServiceAccount JWT used
  15209. for authenticating with Akeyless. If a name is specified without a key,
  15210. `token` is the default. If one is not specified, the one bound to
  15211. the controller will be used.
  15212. properties:
  15213. key:
  15214. description: |-
  15215. A key in the referenced Secret.
  15216. Some instances of this field may be defaulted, in others it may be required.
  15217. maxLength: 253
  15218. minLength: 1
  15219. pattern: ^[-._a-zA-Z0-9]+$
  15220. type: string
  15221. name:
  15222. description: The name of the Secret resource being referred to.
  15223. maxLength: 253
  15224. minLength: 1
  15225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15226. type: string
  15227. namespace:
  15228. description: |-
  15229. The namespace of the Secret resource being referred to.
  15230. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15231. maxLength: 63
  15232. minLength: 1
  15233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15234. type: string
  15235. type: object
  15236. serviceAccountRef:
  15237. description: |-
  15238. Optional service account field containing the name of a kubernetes ServiceAccount.
  15239. If the service account is specified, the service account secret token JWT will be used
  15240. for authenticating with Akeyless. If the service account selector is not supplied,
  15241. the secretRef will be used instead.
  15242. properties:
  15243. audiences:
  15244. description: |-
  15245. Audience specifies the `aud` claim for the service account token
  15246. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15247. then this audiences will be appended to the list
  15248. items:
  15249. type: string
  15250. type: array
  15251. name:
  15252. description: The name of the ServiceAccount resource being referred to.
  15253. maxLength: 253
  15254. minLength: 1
  15255. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15256. type: string
  15257. namespace:
  15258. description: |-
  15259. Namespace of the resource being referred to.
  15260. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15261. maxLength: 63
  15262. minLength: 1
  15263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15264. type: string
  15265. required:
  15266. - name
  15267. type: object
  15268. required:
  15269. - accessID
  15270. - k8sConfName
  15271. type: object
  15272. secretRef:
  15273. description: |-
  15274. Reference to a Secret that contains the details
  15275. to authenticate with Akeyless.
  15276. properties:
  15277. accessID:
  15278. description: The SecretAccessID is used for authentication
  15279. properties:
  15280. key:
  15281. description: |-
  15282. A key in the referenced Secret.
  15283. Some instances of this field may be defaulted, in others it may be required.
  15284. maxLength: 253
  15285. minLength: 1
  15286. pattern: ^[-._a-zA-Z0-9]+$
  15287. type: string
  15288. name:
  15289. description: The name of the Secret resource being referred to.
  15290. maxLength: 253
  15291. minLength: 1
  15292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15293. type: string
  15294. namespace:
  15295. description: |-
  15296. The namespace of the Secret resource being referred to.
  15297. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15298. maxLength: 63
  15299. minLength: 1
  15300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15301. type: string
  15302. type: object
  15303. accessType:
  15304. description: |-
  15305. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15306. In some instances, `key` is a required field.
  15307. properties:
  15308. key:
  15309. description: |-
  15310. A key in the referenced Secret.
  15311. Some instances of this field may be defaulted, in others it may be required.
  15312. maxLength: 253
  15313. minLength: 1
  15314. pattern: ^[-._a-zA-Z0-9]+$
  15315. type: string
  15316. name:
  15317. description: The name of the Secret resource being referred to.
  15318. maxLength: 253
  15319. minLength: 1
  15320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15321. type: string
  15322. namespace:
  15323. description: |-
  15324. The namespace of the Secret resource being referred to.
  15325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15326. maxLength: 63
  15327. minLength: 1
  15328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15329. type: string
  15330. type: object
  15331. accessTypeParam:
  15332. description: |-
  15333. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15334. In some instances, `key` is a required field.
  15335. properties:
  15336. key:
  15337. description: |-
  15338. A key in the referenced Secret.
  15339. Some instances of this field may be defaulted, in others it may be required.
  15340. maxLength: 253
  15341. minLength: 1
  15342. pattern: ^[-._a-zA-Z0-9]+$
  15343. type: string
  15344. name:
  15345. description: The name of the Secret resource being referred to.
  15346. maxLength: 253
  15347. minLength: 1
  15348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15349. type: string
  15350. namespace:
  15351. description: |-
  15352. The namespace of the Secret resource being referred to.
  15353. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15354. maxLength: 63
  15355. minLength: 1
  15356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15357. type: string
  15358. type: object
  15359. type: object
  15360. type: object
  15361. caBundle:
  15362. description: |-
  15363. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  15364. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  15365. are used to validate the TLS connection.
  15366. format: byte
  15367. type: string
  15368. caProvider:
  15369. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  15370. properties:
  15371. key:
  15372. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15373. maxLength: 253
  15374. minLength: 1
  15375. pattern: ^[-._a-zA-Z0-9]+$
  15376. type: string
  15377. name:
  15378. description: The name of the object located at the provider type.
  15379. maxLength: 253
  15380. minLength: 1
  15381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15382. type: string
  15383. namespace:
  15384. description: |-
  15385. The namespace the Provider type is in.
  15386. Can only be defined when used in a ClusterSecretStore.
  15387. maxLength: 63
  15388. minLength: 1
  15389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15390. type: string
  15391. type:
  15392. description: The type of provider to use such as "Secret", or "ConfigMap".
  15393. enum:
  15394. - Secret
  15395. - ConfigMap
  15396. type: string
  15397. required:
  15398. - name
  15399. - type
  15400. type: object
  15401. required:
  15402. - akeylessGWApiURL
  15403. - authSecretRef
  15404. type: object
  15405. aws:
  15406. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  15407. properties:
  15408. additionalRoles:
  15409. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  15410. items:
  15411. type: string
  15412. type: array
  15413. auth:
  15414. description: |-
  15415. Auth defines the information necessary to authenticate against AWS
  15416. if not set aws sdk will infer credentials from your environment
  15417. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  15418. properties:
  15419. jwt:
  15420. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  15421. properties:
  15422. serviceAccountRef:
  15423. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  15424. properties:
  15425. audiences:
  15426. description: |-
  15427. Audience specifies the `aud` claim for the service account token
  15428. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15429. then this audiences will be appended to the list
  15430. items:
  15431. type: string
  15432. type: array
  15433. name:
  15434. description: The name of the ServiceAccount resource being referred to.
  15435. maxLength: 253
  15436. minLength: 1
  15437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15438. type: string
  15439. namespace:
  15440. description: |-
  15441. Namespace of the resource being referred to.
  15442. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15443. maxLength: 63
  15444. minLength: 1
  15445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15446. type: string
  15447. required:
  15448. - name
  15449. type: object
  15450. type: object
  15451. secretRef:
  15452. description: |-
  15453. AWSAuthSecretRef holds secret references for AWS credentials
  15454. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  15455. properties:
  15456. accessKeyIDSecretRef:
  15457. description: The AccessKeyID is used for authentication
  15458. properties:
  15459. key:
  15460. description: |-
  15461. A key in the referenced Secret.
  15462. Some instances of this field may be defaulted, in others it may be required.
  15463. maxLength: 253
  15464. minLength: 1
  15465. pattern: ^[-._a-zA-Z0-9]+$
  15466. type: string
  15467. name:
  15468. description: The name of the Secret resource being referred to.
  15469. maxLength: 253
  15470. minLength: 1
  15471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15472. type: string
  15473. namespace:
  15474. description: |-
  15475. The namespace of the Secret resource being referred to.
  15476. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15477. maxLength: 63
  15478. minLength: 1
  15479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15480. type: string
  15481. type: object
  15482. secretAccessKeySecretRef:
  15483. description: The SecretAccessKey is used for authentication
  15484. properties:
  15485. key:
  15486. description: |-
  15487. A key in the referenced Secret.
  15488. Some instances of this field may be defaulted, in others it may be required.
  15489. maxLength: 253
  15490. minLength: 1
  15491. pattern: ^[-._a-zA-Z0-9]+$
  15492. type: string
  15493. name:
  15494. description: The name of the Secret resource being referred to.
  15495. maxLength: 253
  15496. minLength: 1
  15497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15498. type: string
  15499. namespace:
  15500. description: |-
  15501. The namespace of the Secret resource being referred to.
  15502. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15503. maxLength: 63
  15504. minLength: 1
  15505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15506. type: string
  15507. type: object
  15508. sessionTokenSecretRef:
  15509. description: |-
  15510. The SessionToken used for authentication
  15511. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15512. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15513. properties:
  15514. key:
  15515. description: |-
  15516. A key in the referenced Secret.
  15517. Some instances of this field may be defaulted, in others it may be required.
  15518. maxLength: 253
  15519. minLength: 1
  15520. pattern: ^[-._a-zA-Z0-9]+$
  15521. type: string
  15522. name:
  15523. description: The name of the Secret resource being referred to.
  15524. maxLength: 253
  15525. minLength: 1
  15526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15527. type: string
  15528. namespace:
  15529. description: |-
  15530. The namespace of the Secret resource being referred to.
  15531. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15532. maxLength: 63
  15533. minLength: 1
  15534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15535. type: string
  15536. type: object
  15537. type: object
  15538. type: object
  15539. customSessionTags:
  15540. additionalProperties:
  15541. type: string
  15542. description: |-
  15543. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15544. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15545. type: object
  15546. x-kubernetes-validations:
  15547. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15548. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15549. externalID:
  15550. description: AWS External ID set on assumed IAM roles
  15551. type: string
  15552. prefix:
  15553. description: Prefix adds a prefix to all retrieved values.
  15554. type: string
  15555. region:
  15556. description: AWS Region to be used for the provider
  15557. type: string
  15558. role:
  15559. description: Role is a Role ARN which the provider will assume
  15560. type: string
  15561. secretsManager:
  15562. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15563. properties:
  15564. forceDeleteWithoutRecovery:
  15565. description: |-
  15566. Specifies whether to delete the secret without any recovery window. You
  15567. can't use both this parameter and RecoveryWindowInDays in the same call.
  15568. If you don't use either, then by default Secrets Manager uses a 30 day
  15569. recovery window.
  15570. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15571. type: boolean
  15572. recoveryWindowInDays:
  15573. description: |-
  15574. The number of days from 7 to 30 that Secrets Manager waits before
  15575. permanently deleting the secret. You can't use both this parameter and
  15576. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15577. then by default Secrets Manager uses a 30-day recovery window.
  15578. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15579. format: int64
  15580. type: integer
  15581. type: object
  15582. service:
  15583. description: Service defines which service should be used to fetch the secrets
  15584. enum:
  15585. - SecretsManager
  15586. - ParameterStore
  15587. type: string
  15588. sessionTags:
  15589. description: AWS STS assume role session tags
  15590. items:
  15591. description: |-
  15592. Tag is a key-value pair that can be attached to an AWS resource.
  15593. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15594. properties:
  15595. key:
  15596. type: string
  15597. value:
  15598. type: string
  15599. required:
  15600. - key
  15601. - value
  15602. type: object
  15603. type: array
  15604. sessionTagsPolicy:
  15605. default: None
  15606. description: |-
  15607. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15608. None (default): no tags are added.
  15609. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15610. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15611. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15612. enum:
  15613. - None
  15614. - Simple
  15615. - Custom
  15616. type: string
  15617. transitiveTagKeys:
  15618. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15619. items:
  15620. type: string
  15621. type: array
  15622. required:
  15623. - region
  15624. - service
  15625. type: object
  15626. azurekv:
  15627. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15628. properties:
  15629. authSecretRef:
  15630. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15631. properties:
  15632. clientCertificate:
  15633. description: The Azure ClientCertificate of the service principle used for authentication.
  15634. properties:
  15635. key:
  15636. description: |-
  15637. A key in the referenced Secret.
  15638. Some instances of this field may be defaulted, in others it may be required.
  15639. maxLength: 253
  15640. minLength: 1
  15641. pattern: ^[-._a-zA-Z0-9]+$
  15642. type: string
  15643. name:
  15644. description: The name of the Secret resource being referred to.
  15645. maxLength: 253
  15646. minLength: 1
  15647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15648. type: string
  15649. namespace:
  15650. description: |-
  15651. The namespace of the Secret resource being referred to.
  15652. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15653. maxLength: 63
  15654. minLength: 1
  15655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15656. type: string
  15657. type: object
  15658. clientId:
  15659. description: The Azure clientId of the service principle or managed identity used for authentication.
  15660. properties:
  15661. key:
  15662. description: |-
  15663. A key in the referenced Secret.
  15664. Some instances of this field may be defaulted, in others it may be required.
  15665. maxLength: 253
  15666. minLength: 1
  15667. pattern: ^[-._a-zA-Z0-9]+$
  15668. type: string
  15669. name:
  15670. description: The name of the Secret resource being referred to.
  15671. maxLength: 253
  15672. minLength: 1
  15673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15674. type: string
  15675. namespace:
  15676. description: |-
  15677. The namespace of the Secret resource being referred to.
  15678. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15679. maxLength: 63
  15680. minLength: 1
  15681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15682. type: string
  15683. type: object
  15684. clientSecret:
  15685. description: The Azure ClientSecret of the service principle used for authentication.
  15686. properties:
  15687. key:
  15688. description: |-
  15689. A key in the referenced Secret.
  15690. Some instances of this field may be defaulted, in others it may be required.
  15691. maxLength: 253
  15692. minLength: 1
  15693. pattern: ^[-._a-zA-Z0-9]+$
  15694. type: string
  15695. name:
  15696. description: The name of the Secret resource being referred to.
  15697. maxLength: 253
  15698. minLength: 1
  15699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15700. type: string
  15701. namespace:
  15702. description: |-
  15703. The namespace of the Secret resource being referred to.
  15704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15705. maxLength: 63
  15706. minLength: 1
  15707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15708. type: string
  15709. type: object
  15710. tenantId:
  15711. description: The Azure tenantId of the managed identity used for authentication.
  15712. properties:
  15713. key:
  15714. description: |-
  15715. A key in the referenced Secret.
  15716. Some instances of this field may be defaulted, in others it may be required.
  15717. maxLength: 253
  15718. minLength: 1
  15719. pattern: ^[-._a-zA-Z0-9]+$
  15720. type: string
  15721. name:
  15722. description: The name of the Secret resource being referred to.
  15723. maxLength: 253
  15724. minLength: 1
  15725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15726. type: string
  15727. namespace:
  15728. description: |-
  15729. The namespace of the Secret resource being referred to.
  15730. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15731. maxLength: 63
  15732. minLength: 1
  15733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15734. type: string
  15735. type: object
  15736. type: object
  15737. authType:
  15738. default: ServicePrincipal
  15739. description: |-
  15740. Auth type defines how to authenticate to the keyvault service.
  15741. Valid values are:
  15742. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15743. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15744. - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID
  15745. enum:
  15746. - ServicePrincipal
  15747. - ManagedIdentity
  15748. - WorkloadIdentity
  15749. type: string
  15750. customCloudConfig:
  15751. description: |-
  15752. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15753. Required when EnvironmentType is AzureStackCloud.
  15754. Optional for other environment types - useful for Azure China when using Workload Identity
  15755. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15756. standard China Cloud endpoint (login.chinacloudapi.cn).
  15757. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15758. configuration is not supported with the legacy go-autorest SDK.
  15759. properties:
  15760. activeDirectoryEndpoint:
  15761. description: |-
  15762. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15763. Required when using custom cloud configuration
  15764. type: string
  15765. keyVaultDNSSuffix:
  15766. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15767. type: string
  15768. keyVaultEndpoint:
  15769. description: KeyVaultEndpoint is the Key Vault service endpoint
  15770. type: string
  15771. resourceManagerEndpoint:
  15772. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15773. type: string
  15774. required:
  15775. - activeDirectoryEndpoint
  15776. type: object
  15777. environmentType:
  15778. default: PublicCloud
  15779. description: |-
  15780. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15781. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15782. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15783. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15784. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15785. enum:
  15786. - PublicCloud
  15787. - USGovernmentCloud
  15788. - ChinaCloud
  15789. - GermanCloud
  15790. - AzureStackCloud
  15791. type: string
  15792. identityId:
  15793. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15794. type: string
  15795. serviceAccountRef:
  15796. description: |-
  15797. ServiceAccountRef specified the service account
  15798. that should be used when authenticating with WorkloadIdentity.
  15799. properties:
  15800. audiences:
  15801. description: |-
  15802. Audience specifies the `aud` claim for the service account token
  15803. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15804. then this audiences will be appended to the list
  15805. items:
  15806. type: string
  15807. type: array
  15808. name:
  15809. description: The name of the ServiceAccount resource being referred to.
  15810. maxLength: 253
  15811. minLength: 1
  15812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15813. type: string
  15814. namespace:
  15815. description: |-
  15816. Namespace of the resource being referred to.
  15817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15818. maxLength: 63
  15819. minLength: 1
  15820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15821. type: string
  15822. required:
  15823. - name
  15824. type: object
  15825. tenantId:
  15826. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15827. type: string
  15828. useAzureSDK:
  15829. default: false
  15830. description: |-
  15831. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15832. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15833. type: boolean
  15834. vaultUrl:
  15835. description: Vault Url from which the secrets to be fetched from.
  15836. type: string
  15837. required:
  15838. - vaultUrl
  15839. type: object
  15840. barbican:
  15841. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15842. properties:
  15843. auth:
  15844. description: BarbicanAuth contains the authentication information for Barbican.
  15845. properties:
  15846. password:
  15847. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15848. properties:
  15849. secretRef:
  15850. description: |-
  15851. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15852. In some instances, `key` is a required field.
  15853. properties:
  15854. key:
  15855. description: |-
  15856. A key in the referenced Secret.
  15857. Some instances of this field may be defaulted, in others it may be required.
  15858. maxLength: 253
  15859. minLength: 1
  15860. pattern: ^[-._a-zA-Z0-9]+$
  15861. type: string
  15862. name:
  15863. description: The name of the Secret resource being referred to.
  15864. maxLength: 253
  15865. minLength: 1
  15866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15867. type: string
  15868. namespace:
  15869. description: |-
  15870. The namespace of the Secret resource being referred to.
  15871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15872. maxLength: 63
  15873. minLength: 1
  15874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15875. type: string
  15876. type: object
  15877. required:
  15878. - secretRef
  15879. type: object
  15880. username:
  15881. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15882. maxProperties: 1
  15883. minProperties: 1
  15884. properties:
  15885. secretRef:
  15886. description: |-
  15887. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15888. In some instances, `key` is a required field.
  15889. properties:
  15890. key:
  15891. description: |-
  15892. A key in the referenced Secret.
  15893. Some instances of this field may be defaulted, in others it may be required.
  15894. maxLength: 253
  15895. minLength: 1
  15896. pattern: ^[-._a-zA-Z0-9]+$
  15897. type: string
  15898. name:
  15899. description: The name of the Secret resource being referred to.
  15900. maxLength: 253
  15901. minLength: 1
  15902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15903. type: string
  15904. namespace:
  15905. description: |-
  15906. The namespace of the Secret resource being referred to.
  15907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15908. maxLength: 63
  15909. minLength: 1
  15910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15911. type: string
  15912. type: object
  15913. value:
  15914. type: string
  15915. type: object
  15916. required:
  15917. - password
  15918. - username
  15919. type: object
  15920. authURL:
  15921. type: string
  15922. domainName:
  15923. type: string
  15924. region:
  15925. type: string
  15926. tenantName:
  15927. type: string
  15928. required:
  15929. - auth
  15930. type: object
  15931. beyondtrust:
  15932. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15933. properties:
  15934. auth:
  15935. description: Auth configures how the operator authenticates with Beyondtrust.
  15936. properties:
  15937. apiKey:
  15938. description: APIKey If not provided then ClientID/ClientSecret become required.
  15939. properties:
  15940. secretRef:
  15941. description: SecretRef references a key in a secret that will be used as value.
  15942. properties:
  15943. key:
  15944. description: |-
  15945. A key in the referenced Secret.
  15946. Some instances of this field may be defaulted, in others it may be required.
  15947. maxLength: 253
  15948. minLength: 1
  15949. pattern: ^[-._a-zA-Z0-9]+$
  15950. type: string
  15951. name:
  15952. description: The name of the Secret resource being referred to.
  15953. maxLength: 253
  15954. minLength: 1
  15955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15956. type: string
  15957. namespace:
  15958. description: |-
  15959. The namespace of the Secret resource being referred to.
  15960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15961. maxLength: 63
  15962. minLength: 1
  15963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15964. type: string
  15965. type: object
  15966. value:
  15967. description: Value can be specified directly to set a value without using a secret.
  15968. type: string
  15969. type: object
  15970. certificate:
  15971. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  15972. properties:
  15973. secretRef:
  15974. description: SecretRef references a key in a secret that will be used as value.
  15975. properties:
  15976. key:
  15977. description: |-
  15978. A key in the referenced Secret.
  15979. Some instances of this field may be defaulted, in others it may be required.
  15980. maxLength: 253
  15981. minLength: 1
  15982. pattern: ^[-._a-zA-Z0-9]+$
  15983. type: string
  15984. name:
  15985. description: The name of the Secret resource being referred to.
  15986. maxLength: 253
  15987. minLength: 1
  15988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15989. type: string
  15990. namespace:
  15991. description: |-
  15992. The namespace of the Secret resource being referred to.
  15993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15994. maxLength: 63
  15995. minLength: 1
  15996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15997. type: string
  15998. type: object
  15999. value:
  16000. description: Value can be specified directly to set a value without using a secret.
  16001. type: string
  16002. type: object
  16003. certificateKey:
  16004. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  16005. properties:
  16006. secretRef:
  16007. description: SecretRef references a key in a secret that will be used as value.
  16008. properties:
  16009. key:
  16010. description: |-
  16011. A key in the referenced Secret.
  16012. Some instances of this field may be defaulted, in others it may be required.
  16013. maxLength: 253
  16014. minLength: 1
  16015. pattern: ^[-._a-zA-Z0-9]+$
  16016. type: string
  16017. name:
  16018. description: The name of the Secret resource being referred to.
  16019. maxLength: 253
  16020. minLength: 1
  16021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16022. type: string
  16023. namespace:
  16024. description: |-
  16025. The namespace of the Secret resource being referred to.
  16026. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16027. maxLength: 63
  16028. minLength: 1
  16029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16030. type: string
  16031. type: object
  16032. value:
  16033. description: Value can be specified directly to set a value without using a secret.
  16034. type: string
  16035. type: object
  16036. clientId:
  16037. description: ClientID is the API OAuth Client ID.
  16038. properties:
  16039. secretRef:
  16040. description: SecretRef references a key in a secret that will be used as value.
  16041. properties:
  16042. key:
  16043. description: |-
  16044. A key in the referenced Secret.
  16045. Some instances of this field may be defaulted, in others it may be required.
  16046. maxLength: 253
  16047. minLength: 1
  16048. pattern: ^[-._a-zA-Z0-9]+$
  16049. type: string
  16050. name:
  16051. description: The name of the Secret resource being referred to.
  16052. maxLength: 253
  16053. minLength: 1
  16054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16055. type: string
  16056. namespace:
  16057. description: |-
  16058. The namespace of the Secret resource being referred to.
  16059. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16060. maxLength: 63
  16061. minLength: 1
  16062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16063. type: string
  16064. type: object
  16065. value:
  16066. description: Value can be specified directly to set a value without using a secret.
  16067. type: string
  16068. type: object
  16069. clientSecret:
  16070. description: ClientSecret is the API OAuth Client Secret.
  16071. properties:
  16072. secretRef:
  16073. description: SecretRef references a key in a secret that will be used as value.
  16074. properties:
  16075. key:
  16076. description: |-
  16077. A key in the referenced Secret.
  16078. Some instances of this field may be defaulted, in others it may be required.
  16079. maxLength: 253
  16080. minLength: 1
  16081. pattern: ^[-._a-zA-Z0-9]+$
  16082. type: string
  16083. name:
  16084. description: The name of the Secret resource being referred to.
  16085. maxLength: 253
  16086. minLength: 1
  16087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16088. type: string
  16089. namespace:
  16090. description: |-
  16091. The namespace of the Secret resource being referred to.
  16092. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16093. maxLength: 63
  16094. minLength: 1
  16095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16096. type: string
  16097. type: object
  16098. value:
  16099. description: Value can be specified directly to set a value without using a secret.
  16100. type: string
  16101. type: object
  16102. type: object
  16103. server:
  16104. description: Auth configures how API server works.
  16105. properties:
  16106. apiUrl:
  16107. type: string
  16108. apiVersion:
  16109. type: string
  16110. clientTimeOutSeconds:
  16111. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  16112. type: integer
  16113. decrypt:
  16114. default: true
  16115. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  16116. type: boolean
  16117. retrievalType:
  16118. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  16119. type: string
  16120. separator:
  16121. description: A character that separates the folder names.
  16122. type: string
  16123. verifyCA:
  16124. type: boolean
  16125. required:
  16126. - apiUrl
  16127. - verifyCA
  16128. type: object
  16129. required:
  16130. - auth
  16131. - server
  16132. type: object
  16133. beyondtrustworkloadcredentials:
  16134. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  16135. properties:
  16136. auth:
  16137. description: |-
  16138. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  16139. Currently supports API key authentication via Kubernetes secret reference.
  16140. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16141. properties:
  16142. apikey:
  16143. description: |-
  16144. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  16145. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  16146. properties:
  16147. token:
  16148. description: |-
  16149. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  16150. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  16151. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  16152. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16153. properties:
  16154. key:
  16155. description: |-
  16156. A key in the referenced Secret.
  16157. Some instances of this field may be defaulted, in others it may be required.
  16158. maxLength: 253
  16159. minLength: 1
  16160. pattern: ^[-._a-zA-Z0-9]+$
  16161. type: string
  16162. name:
  16163. description: The name of the Secret resource being referred to.
  16164. maxLength: 253
  16165. minLength: 1
  16166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16167. type: string
  16168. namespace:
  16169. description: |-
  16170. The namespace of the Secret resource being referred to.
  16171. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16172. maxLength: 63
  16173. minLength: 1
  16174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16175. type: string
  16176. type: object
  16177. required:
  16178. - token
  16179. type: object
  16180. required:
  16181. - apikey
  16182. type: object
  16183. caBundle:
  16184. description: |-
  16185. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16186. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  16187. If not set, the system's trusted root certificates are used.
  16188. format: byte
  16189. type: string
  16190. caProvider:
  16191. description: |-
  16192. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  16193. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16194. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  16195. properties:
  16196. key:
  16197. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16198. maxLength: 253
  16199. minLength: 1
  16200. pattern: ^[-._a-zA-Z0-9]+$
  16201. type: string
  16202. name:
  16203. description: The name of the object located at the provider type.
  16204. maxLength: 253
  16205. minLength: 1
  16206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16207. type: string
  16208. namespace:
  16209. description: |-
  16210. The namespace the Provider type is in.
  16211. Can only be defined when used in a ClusterSecretStore.
  16212. maxLength: 63
  16213. minLength: 1
  16214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16215. type: string
  16216. type:
  16217. description: The type of provider to use such as "Secret", or "ConfigMap".
  16218. enum:
  16219. - Secret
  16220. - ConfigMap
  16221. type: string
  16222. required:
  16223. - name
  16224. - type
  16225. type: object
  16226. folderPath:
  16227. description: |-
  16228. FolderPath specifies the default folder path for secret retrieval.
  16229. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  16230. Example: "production/database" or "dev/api-keys"
  16231. Leave empty to retrieve secrets from the root folder.
  16232. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  16233. type: string
  16234. server:
  16235. description: |-
  16236. Server configures the BeyondTrust Workload Credentials server connection details.
  16237. Includes the API URL and Site ID for your BeyondTrust instance.
  16238. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16239. properties:
  16240. apiUrl:
  16241. description: |-
  16242. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  16243. This should be the full URL to your BeyondTrust instance.
  16244. Example: https://api.beyondtrust.io/siie
  16245. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  16246. type: string
  16247. siteId:
  16248. description: |-
  16249. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  16250. This identifier is unique to your BeyondTrust Workload Credentials instance.
  16251. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  16252. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  16253. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16254. type: string
  16255. required:
  16256. - apiUrl
  16257. - siteId
  16258. type: object
  16259. required:
  16260. - auth
  16261. - server
  16262. type: object
  16263. bitwardensecretsmanager:
  16264. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  16265. properties:
  16266. apiURL:
  16267. type: string
  16268. auth:
  16269. description: |-
  16270. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  16271. Make sure that the token being used has permissions on the given secret.
  16272. properties:
  16273. secretRef:
  16274. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  16275. properties:
  16276. credentials:
  16277. description: AccessToken used for the bitwarden instance.
  16278. properties:
  16279. key:
  16280. description: |-
  16281. A key in the referenced Secret.
  16282. Some instances of this field may be defaulted, in others it may be required.
  16283. maxLength: 253
  16284. minLength: 1
  16285. pattern: ^[-._a-zA-Z0-9]+$
  16286. type: string
  16287. name:
  16288. description: The name of the Secret resource being referred to.
  16289. maxLength: 253
  16290. minLength: 1
  16291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16292. type: string
  16293. namespace:
  16294. description: |-
  16295. The namespace of the Secret resource being referred to.
  16296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16297. maxLength: 63
  16298. minLength: 1
  16299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16300. type: string
  16301. type: object
  16302. required:
  16303. - credentials
  16304. type: object
  16305. required:
  16306. - secretRef
  16307. type: object
  16308. bitwardenServerSDKURL:
  16309. type: string
  16310. caBundle:
  16311. description: |-
  16312. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16313. can be performed.
  16314. type: string
  16315. caProvider:
  16316. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16317. properties:
  16318. key:
  16319. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16320. maxLength: 253
  16321. minLength: 1
  16322. pattern: ^[-._a-zA-Z0-9]+$
  16323. type: string
  16324. name:
  16325. description: The name of the object located at the provider type.
  16326. maxLength: 253
  16327. minLength: 1
  16328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16329. type: string
  16330. namespace:
  16331. description: |-
  16332. The namespace the Provider type is in.
  16333. Can only be defined when used in a ClusterSecretStore.
  16334. maxLength: 63
  16335. minLength: 1
  16336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16337. type: string
  16338. type:
  16339. description: The type of provider to use such as "Secret", or "ConfigMap".
  16340. enum:
  16341. - Secret
  16342. - ConfigMap
  16343. type: string
  16344. required:
  16345. - name
  16346. - type
  16347. type: object
  16348. identityURL:
  16349. type: string
  16350. organizationID:
  16351. description: OrganizationID determines which organization this secret store manages.
  16352. type: string
  16353. projectID:
  16354. description: ProjectID determines which project this secret store manages.
  16355. type: string
  16356. required:
  16357. - auth
  16358. - organizationID
  16359. - projectID
  16360. type: object
  16361. chef:
  16362. description: Chef configures this store to sync secrets with chef server
  16363. properties:
  16364. auth:
  16365. description: Auth defines the information necessary to authenticate against chef Server
  16366. properties:
  16367. secretRef:
  16368. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  16369. properties:
  16370. privateKeySecretRef:
  16371. description: SecretKey is the Signing Key in PEM format, used for authentication.
  16372. properties:
  16373. key:
  16374. description: |-
  16375. A key in the referenced Secret.
  16376. Some instances of this field may be defaulted, in others it may be required.
  16377. maxLength: 253
  16378. minLength: 1
  16379. pattern: ^[-._a-zA-Z0-9]+$
  16380. type: string
  16381. name:
  16382. description: The name of the Secret resource being referred to.
  16383. maxLength: 253
  16384. minLength: 1
  16385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16386. type: string
  16387. namespace:
  16388. description: |-
  16389. The namespace of the Secret resource being referred to.
  16390. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16391. maxLength: 63
  16392. minLength: 1
  16393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16394. type: string
  16395. type: object
  16396. required:
  16397. - privateKeySecretRef
  16398. type: object
  16399. required:
  16400. - secretRef
  16401. type: object
  16402. serverUrl:
  16403. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  16404. type: string
  16405. username:
  16406. description: UserName should be the user ID on the chef server
  16407. type: string
  16408. required:
  16409. - auth
  16410. - serverUrl
  16411. - username
  16412. type: object
  16413. cloudrusm:
  16414. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  16415. properties:
  16416. auth:
  16417. description: CSMAuth contains a secretRef for credentials.
  16418. properties:
  16419. secretRef:
  16420. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  16421. properties:
  16422. accessKeyIDSecretRef:
  16423. description: The AccessKeyID is used for authentication
  16424. properties:
  16425. key:
  16426. description: |-
  16427. A key in the referenced Secret.
  16428. Some instances of this field may be defaulted, in others it may be required.
  16429. maxLength: 253
  16430. minLength: 1
  16431. pattern: ^[-._a-zA-Z0-9]+$
  16432. type: string
  16433. name:
  16434. description: The name of the Secret resource being referred to.
  16435. maxLength: 253
  16436. minLength: 1
  16437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16438. type: string
  16439. namespace:
  16440. description: |-
  16441. The namespace of the Secret resource being referred to.
  16442. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16443. maxLength: 63
  16444. minLength: 1
  16445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16446. type: string
  16447. type: object
  16448. accessKeySecretSecretRef:
  16449. description: The AccessKeySecret is used for authentication
  16450. properties:
  16451. key:
  16452. description: |-
  16453. A key in the referenced Secret.
  16454. Some instances of this field may be defaulted, in others it may be required.
  16455. maxLength: 253
  16456. minLength: 1
  16457. pattern: ^[-._a-zA-Z0-9]+$
  16458. type: string
  16459. name:
  16460. description: The name of the Secret resource being referred to.
  16461. maxLength: 253
  16462. minLength: 1
  16463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16464. type: string
  16465. namespace:
  16466. description: |-
  16467. The namespace of the Secret resource being referred to.
  16468. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16469. maxLength: 63
  16470. minLength: 1
  16471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16472. type: string
  16473. type: object
  16474. required:
  16475. - accessKeyIDSecretRef
  16476. - accessKeySecretSecretRef
  16477. type: object
  16478. type: object
  16479. projectID:
  16480. description: ProjectID is the project, which the secrets are stored in.
  16481. type: string
  16482. required:
  16483. - auth
  16484. type: object
  16485. conjur:
  16486. description: Conjur configures this store to sync secrets using conjur provider
  16487. properties:
  16488. auth:
  16489. description: Defines authentication settings for connecting to Conjur.
  16490. properties:
  16491. apikey:
  16492. description: Authenticates with Conjur using an API key.
  16493. properties:
  16494. account:
  16495. description: Account is the Conjur organization account name.
  16496. type: string
  16497. apiKeyRef:
  16498. description: |-
  16499. A reference to a specific 'key' containing the Conjur API key
  16500. within a Secret resource. In some instances, `key` is a required field.
  16501. properties:
  16502. key:
  16503. description: |-
  16504. A key in the referenced Secret.
  16505. Some instances of this field may be defaulted, in others it may be required.
  16506. maxLength: 253
  16507. minLength: 1
  16508. pattern: ^[-._a-zA-Z0-9]+$
  16509. type: string
  16510. name:
  16511. description: The name of the Secret resource being referred to.
  16512. maxLength: 253
  16513. minLength: 1
  16514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16515. type: string
  16516. namespace:
  16517. description: |-
  16518. The namespace of the Secret resource being referred to.
  16519. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16520. maxLength: 63
  16521. minLength: 1
  16522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16523. type: string
  16524. type: object
  16525. userRef:
  16526. description: |-
  16527. A reference to a specific 'key' containing the Conjur username
  16528. within a Secret resource. In some instances, `key` is a required field.
  16529. properties:
  16530. key:
  16531. description: |-
  16532. A key in the referenced Secret.
  16533. Some instances of this field may be defaulted, in others it may be required.
  16534. maxLength: 253
  16535. minLength: 1
  16536. pattern: ^[-._a-zA-Z0-9]+$
  16537. type: string
  16538. name:
  16539. description: The name of the Secret resource being referred to.
  16540. maxLength: 253
  16541. minLength: 1
  16542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16543. type: string
  16544. namespace:
  16545. description: |-
  16546. The namespace of the Secret resource being referred to.
  16547. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16548. maxLength: 63
  16549. minLength: 1
  16550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16551. type: string
  16552. type: object
  16553. required:
  16554. - account
  16555. - apiKeyRef
  16556. - userRef
  16557. type: object
  16558. jwt:
  16559. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  16560. properties:
  16561. account:
  16562. description: Account is the Conjur organization account name.
  16563. type: string
  16564. hostId:
  16565. description: |-
  16566. Optional HostID for JWT authentication. This may be used depending
  16567. on how the Conjur JWT authenticator policy is configured.
  16568. type: string
  16569. secretRef:
  16570. description: |-
  16571. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  16572. authenticate with Conjur using the JWT authentication method.
  16573. properties:
  16574. key:
  16575. description: |-
  16576. A key in the referenced Secret.
  16577. Some instances of this field may be defaulted, in others it may be required.
  16578. maxLength: 253
  16579. minLength: 1
  16580. pattern: ^[-._a-zA-Z0-9]+$
  16581. type: string
  16582. name:
  16583. description: The name of the Secret resource being referred to.
  16584. maxLength: 253
  16585. minLength: 1
  16586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16587. type: string
  16588. namespace:
  16589. description: |-
  16590. The namespace of the Secret resource being referred to.
  16591. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16592. maxLength: 63
  16593. minLength: 1
  16594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16595. type: string
  16596. type: object
  16597. serviceAccountRef:
  16598. description: |-
  16599. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  16600. a token for with the `TokenRequest` API.
  16601. properties:
  16602. audiences:
  16603. description: |-
  16604. Audience specifies the `aud` claim for the service account token
  16605. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16606. then this audiences will be appended to the list
  16607. items:
  16608. type: string
  16609. type: array
  16610. name:
  16611. description: The name of the ServiceAccount resource being referred to.
  16612. maxLength: 253
  16613. minLength: 1
  16614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16615. type: string
  16616. namespace:
  16617. description: |-
  16618. Namespace of the resource being referred to.
  16619. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16620. maxLength: 63
  16621. minLength: 1
  16622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16623. type: string
  16624. required:
  16625. - name
  16626. type: object
  16627. serviceID:
  16628. description: The conjur authn jwt webservice id
  16629. type: string
  16630. required:
  16631. - account
  16632. - serviceID
  16633. type: object
  16634. type: object
  16635. caBundle:
  16636. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16637. type: string
  16638. caProvider:
  16639. description: |-
  16640. Used to provide custom certificate authority (CA) certificates
  16641. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16642. that contains a PEM-encoded certificate.
  16643. properties:
  16644. key:
  16645. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16646. maxLength: 253
  16647. minLength: 1
  16648. pattern: ^[-._a-zA-Z0-9]+$
  16649. type: string
  16650. name:
  16651. description: The name of the object located at the provider type.
  16652. maxLength: 253
  16653. minLength: 1
  16654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16655. type: string
  16656. namespace:
  16657. description: |-
  16658. The namespace the Provider type is in.
  16659. Can only be defined when used in a ClusterSecretStore.
  16660. maxLength: 63
  16661. minLength: 1
  16662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16663. type: string
  16664. type:
  16665. description: The type of provider to use such as "Secret", or "ConfigMap".
  16666. enum:
  16667. - Secret
  16668. - ConfigMap
  16669. type: string
  16670. required:
  16671. - name
  16672. - type
  16673. type: object
  16674. url:
  16675. description: URL is the endpoint of the Conjur instance.
  16676. type: string
  16677. required:
  16678. - auth
  16679. - url
  16680. type: object
  16681. delinea:
  16682. description: |-
  16683. Delinea DevOps Secrets Vault
  16684. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16685. properties:
  16686. clientId:
  16687. description: ClientID is the non-secret part of the credential.
  16688. properties:
  16689. secretRef:
  16690. description: SecretRef references a key in a secret that will be used as value.
  16691. properties:
  16692. key:
  16693. description: |-
  16694. A key in the referenced Secret.
  16695. Some instances of this field may be defaulted, in others it may be required.
  16696. maxLength: 253
  16697. minLength: 1
  16698. pattern: ^[-._a-zA-Z0-9]+$
  16699. type: string
  16700. name:
  16701. description: The name of the Secret resource being referred to.
  16702. maxLength: 253
  16703. minLength: 1
  16704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16705. type: string
  16706. namespace:
  16707. description: |-
  16708. The namespace of the Secret resource being referred to.
  16709. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16710. maxLength: 63
  16711. minLength: 1
  16712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16713. type: string
  16714. type: object
  16715. value:
  16716. description: Value can be specified directly to set a value without using a secret.
  16717. type: string
  16718. type: object
  16719. clientSecret:
  16720. description: ClientSecret is the secret part of the credential.
  16721. properties:
  16722. secretRef:
  16723. description: SecretRef references a key in a secret that will be used as value.
  16724. properties:
  16725. key:
  16726. description: |-
  16727. A key in the referenced Secret.
  16728. Some instances of this field may be defaulted, in others it may be required.
  16729. maxLength: 253
  16730. minLength: 1
  16731. pattern: ^[-._a-zA-Z0-9]+$
  16732. type: string
  16733. name:
  16734. description: The name of the Secret resource being referred to.
  16735. maxLength: 253
  16736. minLength: 1
  16737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16738. type: string
  16739. namespace:
  16740. description: |-
  16741. The namespace of the Secret resource being referred to.
  16742. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16743. maxLength: 63
  16744. minLength: 1
  16745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16746. type: string
  16747. type: object
  16748. value:
  16749. description: Value can be specified directly to set a value without using a secret.
  16750. type: string
  16751. type: object
  16752. tenant:
  16753. description: Tenant is the chosen hostname / site name.
  16754. type: string
  16755. tld:
  16756. description: |-
  16757. TLD is based on the server location that was chosen during provisioning.
  16758. If unset, defaults to "com".
  16759. type: string
  16760. urlTemplate:
  16761. description: |-
  16762. URLTemplate
  16763. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16764. type: string
  16765. required:
  16766. - clientId
  16767. - clientSecret
  16768. - tenant
  16769. type: object
  16770. doppler:
  16771. description: Doppler configures this store to sync secrets using the Doppler provider
  16772. properties:
  16773. auth:
  16774. description: Auth configures how the Operator authenticates with the Doppler API
  16775. properties:
  16776. oidcConfig:
  16777. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16778. properties:
  16779. expirationSeconds:
  16780. default: 600
  16781. description: |-
  16782. ExpirationSeconds sets the ServiceAccount token validity duration.
  16783. Defaults to 10 minutes.
  16784. format: int64
  16785. type: integer
  16786. identity:
  16787. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16788. type: string
  16789. serviceAccountRef:
  16790. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16791. properties:
  16792. audiences:
  16793. description: |-
  16794. Audience specifies the `aud` claim for the service account token
  16795. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16796. then this audiences will be appended to the list
  16797. items:
  16798. type: string
  16799. type: array
  16800. name:
  16801. description: The name of the ServiceAccount resource being referred to.
  16802. maxLength: 253
  16803. minLength: 1
  16804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16805. type: string
  16806. namespace:
  16807. description: |-
  16808. Namespace of the resource being referred to.
  16809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16810. maxLength: 63
  16811. minLength: 1
  16812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16813. type: string
  16814. required:
  16815. - name
  16816. type: object
  16817. required:
  16818. - identity
  16819. - serviceAccountRef
  16820. type: object
  16821. secretRef:
  16822. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16823. properties:
  16824. dopplerToken:
  16825. description: |-
  16826. The DopplerToken is used for authentication.
  16827. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16828. The Key attribute defaults to dopplerToken if not specified.
  16829. properties:
  16830. key:
  16831. description: |-
  16832. A key in the referenced Secret.
  16833. Some instances of this field may be defaulted, in others it may be required.
  16834. maxLength: 253
  16835. minLength: 1
  16836. pattern: ^[-._a-zA-Z0-9]+$
  16837. type: string
  16838. name:
  16839. description: The name of the Secret resource being referred to.
  16840. maxLength: 253
  16841. minLength: 1
  16842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16843. type: string
  16844. namespace:
  16845. description: |-
  16846. The namespace of the Secret resource being referred to.
  16847. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16848. maxLength: 63
  16849. minLength: 1
  16850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16851. type: string
  16852. type: object
  16853. required:
  16854. - dopplerToken
  16855. type: object
  16856. type: object
  16857. x-kubernetes-validations:
  16858. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16859. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16860. config:
  16861. description: Doppler config (required if not using a Service Token)
  16862. type: string
  16863. format:
  16864. description: Format enables the downloading of secrets as a file (string)
  16865. enum:
  16866. - json
  16867. - dotnet-json
  16868. - env
  16869. - yaml
  16870. - docker
  16871. type: string
  16872. nameTransformer:
  16873. description: Environment variable compatible name transforms that change secret names to a different format
  16874. enum:
  16875. - upper-camel
  16876. - camel
  16877. - lower-snake
  16878. - tf-var
  16879. - dotnet-env
  16880. - lower-kebab
  16881. type: string
  16882. project:
  16883. description: Doppler project (required if not using a Service Token)
  16884. type: string
  16885. required:
  16886. - auth
  16887. type: object
  16888. dvls:
  16889. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16890. properties:
  16891. auth:
  16892. description: Auth defines the authentication method to use.
  16893. properties:
  16894. secretRef:
  16895. description: SecretRef contains the Application ID and Application Secret for authentication.
  16896. properties:
  16897. appId:
  16898. description: AppID is the reference to the secret containing the Application ID.
  16899. properties:
  16900. key:
  16901. description: |-
  16902. A key in the referenced Secret.
  16903. Some instances of this field may be defaulted, in others it may be required.
  16904. maxLength: 253
  16905. minLength: 1
  16906. pattern: ^[-._a-zA-Z0-9]+$
  16907. type: string
  16908. name:
  16909. description: The name of the Secret resource being referred to.
  16910. maxLength: 253
  16911. minLength: 1
  16912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16913. type: string
  16914. namespace:
  16915. description: |-
  16916. The namespace of the Secret resource being referred to.
  16917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16918. maxLength: 63
  16919. minLength: 1
  16920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16921. type: string
  16922. type: object
  16923. appSecret:
  16924. description: AppSecret is the reference to the secret containing the Application Secret.
  16925. properties:
  16926. key:
  16927. description: |-
  16928. A key in the referenced Secret.
  16929. Some instances of this field may be defaulted, in others it may be required.
  16930. maxLength: 253
  16931. minLength: 1
  16932. pattern: ^[-._a-zA-Z0-9]+$
  16933. type: string
  16934. name:
  16935. description: The name of the Secret resource being referred to.
  16936. maxLength: 253
  16937. minLength: 1
  16938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16939. type: string
  16940. namespace:
  16941. description: |-
  16942. The namespace of the Secret resource being referred to.
  16943. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16944. maxLength: 63
  16945. minLength: 1
  16946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16947. type: string
  16948. type: object
  16949. required:
  16950. - appId
  16951. - appSecret
  16952. type: object
  16953. required:
  16954. - secretRef
  16955. type: object
  16956. insecure:
  16957. description: |-
  16958. Insecure allows connecting to DVLS over plain HTTP.
  16959. This is NOT RECOMMENDED for production use.
  16960. Set to true only if you understand the security implications.
  16961. type: boolean
  16962. serverUrl:
  16963. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  16964. type: string
  16965. vault:
  16966. description: |-
  16967. Vault is the name or UUID of the vault to fetch secrets from.
  16968. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  16969. type: string
  16970. required:
  16971. - auth
  16972. - serverUrl
  16973. type: object
  16974. fake:
  16975. description: Fake configures a store with static key/value pairs
  16976. properties:
  16977. data:
  16978. items:
  16979. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  16980. properties:
  16981. key:
  16982. type: string
  16983. value:
  16984. type: string
  16985. version:
  16986. type: string
  16987. required:
  16988. - key
  16989. - value
  16990. type: object
  16991. type: array
  16992. validationResult:
  16993. description: ValidationResult is defined type for the number of validation results.
  16994. type: integer
  16995. required:
  16996. - data
  16997. type: object
  16998. fortanix:
  16999. description: Fortanix configures this store to sync secrets using the Fortanix provider
  17000. properties:
  17001. apiKey:
  17002. description: APIKey is the API token to access SDKMS Applications.
  17003. properties:
  17004. secretRef:
  17005. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  17006. properties:
  17007. key:
  17008. description: |-
  17009. A key in the referenced Secret.
  17010. Some instances of this field may be defaulted, in others it may be required.
  17011. maxLength: 253
  17012. minLength: 1
  17013. pattern: ^[-._a-zA-Z0-9]+$
  17014. type: string
  17015. name:
  17016. description: The name of the Secret resource being referred to.
  17017. maxLength: 253
  17018. minLength: 1
  17019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17020. type: string
  17021. namespace:
  17022. description: |-
  17023. The namespace of the Secret resource being referred to.
  17024. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17025. maxLength: 63
  17026. minLength: 1
  17027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17028. type: string
  17029. type: object
  17030. type: object
  17031. apiUrl:
  17032. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  17033. type: string
  17034. type: object
  17035. gcpsm:
  17036. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  17037. properties:
  17038. auth:
  17039. description: Auth defines the information necessary to authenticate against GCP
  17040. properties:
  17041. secretRef:
  17042. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  17043. properties:
  17044. secretAccessKeySecretRef:
  17045. description: The SecretAccessKey is used for authentication
  17046. properties:
  17047. key:
  17048. description: |-
  17049. A key in the referenced Secret.
  17050. Some instances of this field may be defaulted, in others it may be required.
  17051. maxLength: 253
  17052. minLength: 1
  17053. pattern: ^[-._a-zA-Z0-9]+$
  17054. type: string
  17055. name:
  17056. description: The name of the Secret resource being referred to.
  17057. maxLength: 253
  17058. minLength: 1
  17059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17060. type: string
  17061. namespace:
  17062. description: |-
  17063. The namespace of the Secret resource being referred to.
  17064. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17065. maxLength: 63
  17066. minLength: 1
  17067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17068. type: string
  17069. type: object
  17070. type: object
  17071. workloadIdentity:
  17072. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  17073. properties:
  17074. clusterLocation:
  17075. description: |-
  17076. ClusterLocation is the location of the cluster
  17077. If not specified, it fetches information from the metadata server
  17078. type: string
  17079. clusterName:
  17080. description: |-
  17081. ClusterName is the name of the cluster
  17082. If not specified, it fetches information from the metadata server
  17083. type: string
  17084. clusterProjectID:
  17085. description: |-
  17086. ClusterProjectID is the project ID of the cluster
  17087. If not specified, it fetches information from the metadata server
  17088. type: string
  17089. serviceAccountRef:
  17090. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  17091. properties:
  17092. audiences:
  17093. description: |-
  17094. Audience specifies the `aud` claim for the service account token
  17095. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17096. then this audiences will be appended to the list
  17097. items:
  17098. type: string
  17099. type: array
  17100. name:
  17101. description: The name of the ServiceAccount resource being referred to.
  17102. maxLength: 253
  17103. minLength: 1
  17104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17105. type: string
  17106. namespace:
  17107. description: |-
  17108. Namespace of the resource being referred to.
  17109. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17110. maxLength: 63
  17111. minLength: 1
  17112. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17113. type: string
  17114. required:
  17115. - name
  17116. type: object
  17117. required:
  17118. - serviceAccountRef
  17119. type: object
  17120. workloadIdentityFederation:
  17121. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  17122. properties:
  17123. audience:
  17124. description: |-
  17125. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  17126. If specified, Audience found in the external account credential config will be overridden with the configured value.
  17127. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  17128. type: string
  17129. awsSecurityCredentials:
  17130. description: |-
  17131. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  17132. when using the AWS metadata server is not an option.
  17133. properties:
  17134. awsCredentialsSecretRef:
  17135. description: |-
  17136. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  17137. Secret should be created with below names for keys
  17138. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  17139. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  17140. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  17141. properties:
  17142. name:
  17143. description: name of the secret.
  17144. maxLength: 253
  17145. minLength: 1
  17146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17147. type: string
  17148. namespace:
  17149. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  17150. maxLength: 63
  17151. minLength: 1
  17152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17153. type: string
  17154. required:
  17155. - name
  17156. type: object
  17157. region:
  17158. description: region is for configuring the AWS region to be used.
  17159. example: ap-south-1
  17160. maxLength: 50
  17161. minLength: 1
  17162. pattern: ^[a-z0-9-]+$
  17163. type: string
  17164. required:
  17165. - awsCredentialsSecretRef
  17166. - region
  17167. type: object
  17168. credConfig:
  17169. description: |-
  17170. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  17171. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  17172. serviceAccountRef must be used by providing operators service account details.
  17173. properties:
  17174. key:
  17175. description: key name holding the external account credential config.
  17176. maxLength: 253
  17177. minLength: 1
  17178. pattern: ^[-._a-zA-Z0-9]+$
  17179. type: string
  17180. name:
  17181. description: name of the configmap.
  17182. maxLength: 253
  17183. minLength: 1
  17184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17185. type: string
  17186. namespace:
  17187. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  17188. maxLength: 63
  17189. minLength: 1
  17190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17191. type: string
  17192. required:
  17193. - key
  17194. - name
  17195. type: object
  17196. externalTokenEndpoint:
  17197. description: |-
  17198. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  17199. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  17200. URL is having the expected value.
  17201. type: string
  17202. gcpServiceAccountEmail:
  17203. description: |-
  17204. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  17205. after Workload Identity Federation. Use this to grant access through the service account's
  17206. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  17207. service_account_impersonation_url in the external account JSON from credConfig;
  17208. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  17209. on that ServiceAccount.
  17210. example: my-gsa@my-project.iam.gserviceaccount.com
  17211. minLength: 1
  17212. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  17213. type: string
  17214. serviceAccountRef:
  17215. description: |-
  17216. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  17217. when Kubernetes is configured as provider in workload identity pool.
  17218. properties:
  17219. audiences:
  17220. description: |-
  17221. Audience specifies the `aud` claim for the service account token
  17222. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17223. then this audiences will be appended to the list
  17224. items:
  17225. type: string
  17226. type: array
  17227. name:
  17228. description: The name of the ServiceAccount resource being referred to.
  17229. maxLength: 253
  17230. minLength: 1
  17231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17232. type: string
  17233. namespace:
  17234. description: |-
  17235. Namespace of the resource being referred to.
  17236. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17237. maxLength: 63
  17238. minLength: 1
  17239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17240. type: string
  17241. required:
  17242. - name
  17243. type: object
  17244. type: object
  17245. type: object
  17246. location:
  17247. description: Location optionally defines a location for a secret
  17248. type: string
  17249. projectID:
  17250. description: ProjectID project where secret is located
  17251. type: string
  17252. secretVersionSelectionPolicy:
  17253. default: LatestOrFail
  17254. description: |-
  17255. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  17256. when "latest" is disabled or destroyed.
  17257. Possible values are:
  17258. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  17259. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  17260. type: string
  17261. type: object
  17262. github:
  17263. description: |-
  17264. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  17265. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  17266. properties:
  17267. appID:
  17268. description: appID specifies the Github APP that will be used to authenticate the client
  17269. format: int64
  17270. type: integer
  17271. auth:
  17272. description: auth configures how secret-manager authenticates with a Github instance.
  17273. properties:
  17274. privateKey:
  17275. description: |-
  17276. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17277. In some instances, `key` is a required field.
  17278. properties:
  17279. key:
  17280. description: |-
  17281. A key in the referenced Secret.
  17282. Some instances of this field may be defaulted, in others it may be required.
  17283. maxLength: 253
  17284. minLength: 1
  17285. pattern: ^[-._a-zA-Z0-9]+$
  17286. type: string
  17287. name:
  17288. description: The name of the Secret resource being referred to.
  17289. maxLength: 253
  17290. minLength: 1
  17291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17292. type: string
  17293. namespace:
  17294. description: |-
  17295. The namespace of the Secret resource being referred to.
  17296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17297. maxLength: 63
  17298. minLength: 1
  17299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17300. type: string
  17301. type: object
  17302. required:
  17303. - privateKey
  17304. type: object
  17305. environment:
  17306. description: environment will be used to fetch secrets from a particular environment within a github repository
  17307. type: string
  17308. installationID:
  17309. description: installationID specifies the Github APP installation that will be used to authenticate the client
  17310. format: int64
  17311. type: integer
  17312. orgSecretVisibility:
  17313. description: |-
  17314. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  17315. Valid values are "all" or "private".
  17316. When unset, new secrets are created with visibility "all" and existing secrets preserve
  17317. whatever visibility they already have in GitHub.
  17318. enum:
  17319. - all
  17320. - private
  17321. type: string
  17322. organization:
  17323. description: organization will be used to fetch secrets from the Github organization
  17324. type: string
  17325. repository:
  17326. description: repository will be used to fetch secrets from the Github repository within an organization
  17327. type: string
  17328. uploadURL:
  17329. description: Upload URL for enterprise instances. Default to URL.
  17330. type: string
  17331. url:
  17332. default: https://github.com/
  17333. description: URL configures the Github instance URL. Defaults to https://github.com/.
  17334. type: string
  17335. required:
  17336. - appID
  17337. - auth
  17338. - installationID
  17339. - organization
  17340. type: object
  17341. gitlab:
  17342. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17343. properties:
  17344. auth:
  17345. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17346. properties:
  17347. SecretRef:
  17348. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  17349. properties:
  17350. accessToken:
  17351. description: AccessToken is used for authentication.
  17352. properties:
  17353. key:
  17354. description: |-
  17355. A key in the referenced Secret.
  17356. Some instances of this field may be defaulted, in others it may be required.
  17357. maxLength: 253
  17358. minLength: 1
  17359. pattern: ^[-._a-zA-Z0-9]+$
  17360. type: string
  17361. name:
  17362. description: The name of the Secret resource being referred to.
  17363. maxLength: 253
  17364. minLength: 1
  17365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17366. type: string
  17367. namespace:
  17368. description: |-
  17369. The namespace of the Secret resource being referred to.
  17370. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17371. maxLength: 63
  17372. minLength: 1
  17373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17374. type: string
  17375. type: object
  17376. type: object
  17377. required:
  17378. - SecretRef
  17379. type: object
  17380. caBundle:
  17381. description: |-
  17382. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17383. can be performed.
  17384. format: byte
  17385. type: string
  17386. caProvider:
  17387. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17388. properties:
  17389. key:
  17390. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17391. maxLength: 253
  17392. minLength: 1
  17393. pattern: ^[-._a-zA-Z0-9]+$
  17394. type: string
  17395. name:
  17396. description: The name of the object located at the provider type.
  17397. maxLength: 253
  17398. minLength: 1
  17399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17400. type: string
  17401. namespace:
  17402. description: |-
  17403. The namespace the Provider type is in.
  17404. Can only be defined when used in a ClusterSecretStore.
  17405. maxLength: 63
  17406. minLength: 1
  17407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17408. type: string
  17409. type:
  17410. description: The type of provider to use such as "Secret", or "ConfigMap".
  17411. enum:
  17412. - Secret
  17413. - ConfigMap
  17414. type: string
  17415. required:
  17416. - name
  17417. - type
  17418. type: object
  17419. environment:
  17420. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17421. type: string
  17422. groupIDs:
  17423. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17424. items:
  17425. type: string
  17426. type: array
  17427. inheritFromGroups:
  17428. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17429. type: boolean
  17430. projectID:
  17431. description: ProjectID specifies a project where secrets are located.
  17432. type: string
  17433. url:
  17434. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17435. type: string
  17436. required:
  17437. - auth
  17438. type: object
  17439. ibm:
  17440. description: IBM configures this store to sync secrets using IBM Cloud provider
  17441. properties:
  17442. auth:
  17443. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17444. maxProperties: 1
  17445. minProperties: 1
  17446. properties:
  17447. containerAuth:
  17448. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  17449. properties:
  17450. iamEndpoint:
  17451. type: string
  17452. profile:
  17453. description: the IBM Trusted Profile
  17454. type: string
  17455. tokenLocation:
  17456. description: Location the token is mounted on the pod
  17457. type: string
  17458. required:
  17459. - profile
  17460. type: object
  17461. secretRef:
  17462. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  17463. properties:
  17464. iamEndpoint:
  17465. description: The IAM endpoint used to obain a token
  17466. type: string
  17467. secretApiKeySecretRef:
  17468. description: The SecretAccessKey is used for authentication
  17469. properties:
  17470. key:
  17471. description: |-
  17472. A key in the referenced Secret.
  17473. Some instances of this field may be defaulted, in others it may be required.
  17474. maxLength: 253
  17475. minLength: 1
  17476. pattern: ^[-._a-zA-Z0-9]+$
  17477. type: string
  17478. name:
  17479. description: The name of the Secret resource being referred to.
  17480. maxLength: 253
  17481. minLength: 1
  17482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17483. type: string
  17484. namespace:
  17485. description: |-
  17486. The namespace of the Secret resource being referred to.
  17487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17488. maxLength: 63
  17489. minLength: 1
  17490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17491. type: string
  17492. type: object
  17493. type: object
  17494. type: object
  17495. serviceUrl:
  17496. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17497. type: string
  17498. required:
  17499. - auth
  17500. type: object
  17501. infisical:
  17502. description: Infisical configures this store to sync secrets using the Infisical provider
  17503. properties:
  17504. auth:
  17505. description: Auth configures how the Operator authenticates with the Infisical API
  17506. properties:
  17507. awsAuthCredentials:
  17508. description: AwsAuthCredentials represents the credentials for AWS authentication.
  17509. properties:
  17510. identityId:
  17511. description: |-
  17512. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17513. In some instances, `key` is a required field.
  17514. properties:
  17515. key:
  17516. description: |-
  17517. A key in the referenced Secret.
  17518. Some instances of this field may be defaulted, in others it may be required.
  17519. maxLength: 253
  17520. minLength: 1
  17521. pattern: ^[-._a-zA-Z0-9]+$
  17522. type: string
  17523. name:
  17524. description: The name of the Secret resource being referred to.
  17525. maxLength: 253
  17526. minLength: 1
  17527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17528. type: string
  17529. namespace:
  17530. description: |-
  17531. The namespace of the Secret resource being referred to.
  17532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17533. maxLength: 63
  17534. minLength: 1
  17535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17536. type: string
  17537. type: object
  17538. required:
  17539. - identityId
  17540. type: object
  17541. azureAuthCredentials:
  17542. description: AzureAuthCredentials represents the credentials for Azure authentication.
  17543. properties:
  17544. identityId:
  17545. description: |-
  17546. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17547. In some instances, `key` is a required field.
  17548. properties:
  17549. key:
  17550. description: |-
  17551. A key in the referenced Secret.
  17552. Some instances of this field may be defaulted, in others it may be required.
  17553. maxLength: 253
  17554. minLength: 1
  17555. pattern: ^[-._a-zA-Z0-9]+$
  17556. type: string
  17557. name:
  17558. description: The name of the Secret resource being referred to.
  17559. maxLength: 253
  17560. minLength: 1
  17561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17562. type: string
  17563. namespace:
  17564. description: |-
  17565. The namespace of the Secret resource being referred to.
  17566. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17567. maxLength: 63
  17568. minLength: 1
  17569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17570. type: string
  17571. type: object
  17572. resource:
  17573. description: |-
  17574. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17575. In some instances, `key` is a required field.
  17576. properties:
  17577. key:
  17578. description: |-
  17579. A key in the referenced Secret.
  17580. Some instances of this field may be defaulted, in others it may be required.
  17581. maxLength: 253
  17582. minLength: 1
  17583. pattern: ^[-._a-zA-Z0-9]+$
  17584. type: string
  17585. name:
  17586. description: The name of the Secret resource being referred to.
  17587. maxLength: 253
  17588. minLength: 1
  17589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17590. type: string
  17591. namespace:
  17592. description: |-
  17593. The namespace of the Secret resource being referred to.
  17594. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17595. maxLength: 63
  17596. minLength: 1
  17597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17598. type: string
  17599. type: object
  17600. required:
  17601. - identityId
  17602. type: object
  17603. gcpIamAuthCredentials:
  17604. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17605. properties:
  17606. identityId:
  17607. description: |-
  17608. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17609. In some instances, `key` is a required field.
  17610. properties:
  17611. key:
  17612. description: |-
  17613. A key in the referenced Secret.
  17614. Some instances of this field may be defaulted, in others it may be required.
  17615. maxLength: 253
  17616. minLength: 1
  17617. pattern: ^[-._a-zA-Z0-9]+$
  17618. type: string
  17619. name:
  17620. description: The name of the Secret resource being referred to.
  17621. maxLength: 253
  17622. minLength: 1
  17623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17624. type: string
  17625. namespace:
  17626. description: |-
  17627. The namespace of the Secret resource being referred to.
  17628. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17629. maxLength: 63
  17630. minLength: 1
  17631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17632. type: string
  17633. type: object
  17634. serviceAccountKeyFilePath:
  17635. description: |-
  17636. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17637. In some instances, `key` is a required field.
  17638. properties:
  17639. key:
  17640. description: |-
  17641. A key in the referenced Secret.
  17642. Some instances of this field may be defaulted, in others it may be required.
  17643. maxLength: 253
  17644. minLength: 1
  17645. pattern: ^[-._a-zA-Z0-9]+$
  17646. type: string
  17647. name:
  17648. description: The name of the Secret resource being referred to.
  17649. maxLength: 253
  17650. minLength: 1
  17651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17652. type: string
  17653. namespace:
  17654. description: |-
  17655. The namespace of the Secret resource being referred to.
  17656. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17657. maxLength: 63
  17658. minLength: 1
  17659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17660. type: string
  17661. type: object
  17662. required:
  17663. - identityId
  17664. - serviceAccountKeyFilePath
  17665. type: object
  17666. gcpIdTokenAuthCredentials:
  17667. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17668. properties:
  17669. identityId:
  17670. description: |-
  17671. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17672. In some instances, `key` is a required field.
  17673. properties:
  17674. key:
  17675. description: |-
  17676. A key in the referenced Secret.
  17677. Some instances of this field may be defaulted, in others it may be required.
  17678. maxLength: 253
  17679. minLength: 1
  17680. pattern: ^[-._a-zA-Z0-9]+$
  17681. type: string
  17682. name:
  17683. description: The name of the Secret resource being referred to.
  17684. maxLength: 253
  17685. minLength: 1
  17686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17687. type: string
  17688. namespace:
  17689. description: |-
  17690. The namespace of the Secret resource being referred to.
  17691. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17692. maxLength: 63
  17693. minLength: 1
  17694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17695. type: string
  17696. type: object
  17697. required:
  17698. - identityId
  17699. type: object
  17700. jwtAuthCredentials:
  17701. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17702. properties:
  17703. identityId:
  17704. description: |-
  17705. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17706. In some instances, `key` is a required field.
  17707. properties:
  17708. key:
  17709. description: |-
  17710. A key in the referenced Secret.
  17711. Some instances of this field may be defaulted, in others it may be required.
  17712. maxLength: 253
  17713. minLength: 1
  17714. pattern: ^[-._a-zA-Z0-9]+$
  17715. type: string
  17716. name:
  17717. description: The name of the Secret resource being referred to.
  17718. maxLength: 253
  17719. minLength: 1
  17720. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17721. type: string
  17722. namespace:
  17723. description: |-
  17724. The namespace of the Secret resource being referred to.
  17725. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17726. maxLength: 63
  17727. minLength: 1
  17728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17729. type: string
  17730. type: object
  17731. jwt:
  17732. description: |-
  17733. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17734. In some instances, `key` is a required field.
  17735. properties:
  17736. key:
  17737. description: |-
  17738. A key in the referenced Secret.
  17739. Some instances of this field may be defaulted, in others it may be required.
  17740. maxLength: 253
  17741. minLength: 1
  17742. pattern: ^[-._a-zA-Z0-9]+$
  17743. type: string
  17744. name:
  17745. description: The name of the Secret resource being referred to.
  17746. maxLength: 253
  17747. minLength: 1
  17748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17749. type: string
  17750. namespace:
  17751. description: |-
  17752. The namespace of the Secret resource being referred to.
  17753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17754. maxLength: 63
  17755. minLength: 1
  17756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17757. type: string
  17758. type: object
  17759. required:
  17760. - identityId
  17761. - jwt
  17762. type: object
  17763. kubernetesAuthCredentials:
  17764. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17765. properties:
  17766. identityId:
  17767. description: |-
  17768. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17769. In some instances, `key` is a required field.
  17770. properties:
  17771. key:
  17772. description: |-
  17773. A key in the referenced Secret.
  17774. Some instances of this field may be defaulted, in others it may be required.
  17775. maxLength: 253
  17776. minLength: 1
  17777. pattern: ^[-._a-zA-Z0-9]+$
  17778. type: string
  17779. name:
  17780. description: The name of the Secret resource being referred to.
  17781. maxLength: 253
  17782. minLength: 1
  17783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17784. type: string
  17785. namespace:
  17786. description: |-
  17787. The namespace of the Secret resource being referred to.
  17788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17789. maxLength: 63
  17790. minLength: 1
  17791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17792. type: string
  17793. type: object
  17794. serviceAccountTokenPath:
  17795. description: |-
  17796. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17797. In some instances, `key` is a required field.
  17798. properties:
  17799. key:
  17800. description: |-
  17801. A key in the referenced Secret.
  17802. Some instances of this field may be defaulted, in others it may be required.
  17803. maxLength: 253
  17804. minLength: 1
  17805. pattern: ^[-._a-zA-Z0-9]+$
  17806. type: string
  17807. name:
  17808. description: The name of the Secret resource being referred to.
  17809. maxLength: 253
  17810. minLength: 1
  17811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17812. type: string
  17813. namespace:
  17814. description: |-
  17815. The namespace of the Secret resource being referred to.
  17816. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17817. maxLength: 63
  17818. minLength: 1
  17819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17820. type: string
  17821. type: object
  17822. required:
  17823. - identityId
  17824. type: object
  17825. ldapAuthCredentials:
  17826. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17827. properties:
  17828. identityId:
  17829. description: |-
  17830. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17831. In some instances, `key` is a required field.
  17832. properties:
  17833. key:
  17834. description: |-
  17835. A key in the referenced Secret.
  17836. Some instances of this field may be defaulted, in others it may be required.
  17837. maxLength: 253
  17838. minLength: 1
  17839. pattern: ^[-._a-zA-Z0-9]+$
  17840. type: string
  17841. name:
  17842. description: The name of the Secret resource being referred to.
  17843. maxLength: 253
  17844. minLength: 1
  17845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17846. type: string
  17847. namespace:
  17848. description: |-
  17849. The namespace of the Secret resource being referred to.
  17850. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17851. maxLength: 63
  17852. minLength: 1
  17853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17854. type: string
  17855. type: object
  17856. ldapPassword:
  17857. description: |-
  17858. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17859. In some instances, `key` is a required field.
  17860. properties:
  17861. key:
  17862. description: |-
  17863. A key in the referenced Secret.
  17864. Some instances of this field may be defaulted, in others it may be required.
  17865. maxLength: 253
  17866. minLength: 1
  17867. pattern: ^[-._a-zA-Z0-9]+$
  17868. type: string
  17869. name:
  17870. description: The name of the Secret resource being referred to.
  17871. maxLength: 253
  17872. minLength: 1
  17873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17874. type: string
  17875. namespace:
  17876. description: |-
  17877. The namespace of the Secret resource being referred to.
  17878. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17879. maxLength: 63
  17880. minLength: 1
  17881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17882. type: string
  17883. type: object
  17884. ldapUsername:
  17885. description: |-
  17886. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17887. In some instances, `key` is a required field.
  17888. properties:
  17889. key:
  17890. description: |-
  17891. A key in the referenced Secret.
  17892. Some instances of this field may be defaulted, in others it may be required.
  17893. maxLength: 253
  17894. minLength: 1
  17895. pattern: ^[-._a-zA-Z0-9]+$
  17896. type: string
  17897. name:
  17898. description: The name of the Secret resource being referred to.
  17899. maxLength: 253
  17900. minLength: 1
  17901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17902. type: string
  17903. namespace:
  17904. description: |-
  17905. The namespace of the Secret resource being referred to.
  17906. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17907. maxLength: 63
  17908. minLength: 1
  17909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17910. type: string
  17911. type: object
  17912. required:
  17913. - identityId
  17914. - ldapPassword
  17915. - ldapUsername
  17916. type: object
  17917. ociAuthCredentials:
  17918. description: OciAuthCredentials represents the credentials for OCI authentication.
  17919. properties:
  17920. fingerprint:
  17921. description: |-
  17922. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17923. In some instances, `key` is a required field.
  17924. properties:
  17925. key:
  17926. description: |-
  17927. A key in the referenced Secret.
  17928. Some instances of this field may be defaulted, in others it may be required.
  17929. maxLength: 253
  17930. minLength: 1
  17931. pattern: ^[-._a-zA-Z0-9]+$
  17932. type: string
  17933. name:
  17934. description: The name of the Secret resource being referred to.
  17935. maxLength: 253
  17936. minLength: 1
  17937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17938. type: string
  17939. namespace:
  17940. description: |-
  17941. The namespace of the Secret resource being referred to.
  17942. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17943. maxLength: 63
  17944. minLength: 1
  17945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17946. type: string
  17947. type: object
  17948. identityId:
  17949. description: |-
  17950. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17951. In some instances, `key` is a required field.
  17952. properties:
  17953. key:
  17954. description: |-
  17955. A key in the referenced Secret.
  17956. Some instances of this field may be defaulted, in others it may be required.
  17957. maxLength: 253
  17958. minLength: 1
  17959. pattern: ^[-._a-zA-Z0-9]+$
  17960. type: string
  17961. name:
  17962. description: The name of the Secret resource being referred to.
  17963. maxLength: 253
  17964. minLength: 1
  17965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17966. type: string
  17967. namespace:
  17968. description: |-
  17969. The namespace of the Secret resource being referred to.
  17970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17971. maxLength: 63
  17972. minLength: 1
  17973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17974. type: string
  17975. type: object
  17976. privateKey:
  17977. description: |-
  17978. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17979. In some instances, `key` is a required field.
  17980. properties:
  17981. key:
  17982. description: |-
  17983. A key in the referenced Secret.
  17984. Some instances of this field may be defaulted, in others it may be required.
  17985. maxLength: 253
  17986. minLength: 1
  17987. pattern: ^[-._a-zA-Z0-9]+$
  17988. type: string
  17989. name:
  17990. description: The name of the Secret resource being referred to.
  17991. maxLength: 253
  17992. minLength: 1
  17993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17994. type: string
  17995. namespace:
  17996. description: |-
  17997. The namespace of the Secret resource being referred to.
  17998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17999. maxLength: 63
  18000. minLength: 1
  18001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18002. type: string
  18003. type: object
  18004. privateKeyPassphrase:
  18005. description: |-
  18006. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18007. In some instances, `key` is a required field.
  18008. properties:
  18009. key:
  18010. description: |-
  18011. A key in the referenced Secret.
  18012. Some instances of this field may be defaulted, in others it may be required.
  18013. maxLength: 253
  18014. minLength: 1
  18015. pattern: ^[-._a-zA-Z0-9]+$
  18016. type: string
  18017. name:
  18018. description: The name of the Secret resource being referred to.
  18019. maxLength: 253
  18020. minLength: 1
  18021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18022. type: string
  18023. namespace:
  18024. description: |-
  18025. The namespace of the Secret resource being referred to.
  18026. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18027. maxLength: 63
  18028. minLength: 1
  18029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18030. type: string
  18031. type: object
  18032. region:
  18033. description: |-
  18034. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18035. In some instances, `key` is a required field.
  18036. properties:
  18037. key:
  18038. description: |-
  18039. A key in the referenced Secret.
  18040. Some instances of this field may be defaulted, in others it may be required.
  18041. maxLength: 253
  18042. minLength: 1
  18043. pattern: ^[-._a-zA-Z0-9]+$
  18044. type: string
  18045. name:
  18046. description: The name of the Secret resource being referred to.
  18047. maxLength: 253
  18048. minLength: 1
  18049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18050. type: string
  18051. namespace:
  18052. description: |-
  18053. The namespace of the Secret resource being referred to.
  18054. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18055. maxLength: 63
  18056. minLength: 1
  18057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18058. type: string
  18059. type: object
  18060. tenancyId:
  18061. description: |-
  18062. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18063. In some instances, `key` is a required field.
  18064. properties:
  18065. key:
  18066. description: |-
  18067. A key in the referenced Secret.
  18068. Some instances of this field may be defaulted, in others it may be required.
  18069. maxLength: 253
  18070. minLength: 1
  18071. pattern: ^[-._a-zA-Z0-9]+$
  18072. type: string
  18073. name:
  18074. description: The name of the Secret resource being referred to.
  18075. maxLength: 253
  18076. minLength: 1
  18077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18078. type: string
  18079. namespace:
  18080. description: |-
  18081. The namespace of the Secret resource being referred to.
  18082. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18083. maxLength: 63
  18084. minLength: 1
  18085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18086. type: string
  18087. type: object
  18088. userId:
  18089. description: |-
  18090. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18091. In some instances, `key` is a required field.
  18092. properties:
  18093. key:
  18094. description: |-
  18095. A key in the referenced Secret.
  18096. Some instances of this field may be defaulted, in others it may be required.
  18097. maxLength: 253
  18098. minLength: 1
  18099. pattern: ^[-._a-zA-Z0-9]+$
  18100. type: string
  18101. name:
  18102. description: The name of the Secret resource being referred to.
  18103. maxLength: 253
  18104. minLength: 1
  18105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18106. type: string
  18107. namespace:
  18108. description: |-
  18109. The namespace of the Secret resource being referred to.
  18110. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18111. maxLength: 63
  18112. minLength: 1
  18113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18114. type: string
  18115. type: object
  18116. required:
  18117. - fingerprint
  18118. - identityId
  18119. - privateKey
  18120. - region
  18121. - tenancyId
  18122. - userId
  18123. type: object
  18124. tokenAuthCredentials:
  18125. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  18126. properties:
  18127. accessToken:
  18128. description: |-
  18129. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18130. In some instances, `key` is a required field.
  18131. properties:
  18132. key:
  18133. description: |-
  18134. A key in the referenced Secret.
  18135. Some instances of this field may be defaulted, in others it may be required.
  18136. maxLength: 253
  18137. minLength: 1
  18138. pattern: ^[-._a-zA-Z0-9]+$
  18139. type: string
  18140. name:
  18141. description: The name of the Secret resource being referred to.
  18142. maxLength: 253
  18143. minLength: 1
  18144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18145. type: string
  18146. namespace:
  18147. description: |-
  18148. The namespace of the Secret resource being referred to.
  18149. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18150. maxLength: 63
  18151. minLength: 1
  18152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18153. type: string
  18154. type: object
  18155. required:
  18156. - accessToken
  18157. type: object
  18158. universalAuthCredentials:
  18159. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  18160. properties:
  18161. clientId:
  18162. description: |-
  18163. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18164. In some instances, `key` is a required field.
  18165. properties:
  18166. key:
  18167. description: |-
  18168. A key in the referenced Secret.
  18169. Some instances of this field may be defaulted, in others it may be required.
  18170. maxLength: 253
  18171. minLength: 1
  18172. pattern: ^[-._a-zA-Z0-9]+$
  18173. type: string
  18174. name:
  18175. description: The name of the Secret resource being referred to.
  18176. maxLength: 253
  18177. minLength: 1
  18178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18179. type: string
  18180. namespace:
  18181. description: |-
  18182. The namespace of the Secret resource being referred to.
  18183. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18184. maxLength: 63
  18185. minLength: 1
  18186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18187. type: string
  18188. type: object
  18189. clientSecret:
  18190. description: |-
  18191. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18192. In some instances, `key` is a required field.
  18193. properties:
  18194. key:
  18195. description: |-
  18196. A key in the referenced Secret.
  18197. Some instances of this field may be defaulted, in others it may be required.
  18198. maxLength: 253
  18199. minLength: 1
  18200. pattern: ^[-._a-zA-Z0-9]+$
  18201. type: string
  18202. name:
  18203. description: The name of the Secret resource being referred to.
  18204. maxLength: 253
  18205. minLength: 1
  18206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18207. type: string
  18208. namespace:
  18209. description: |-
  18210. The namespace of the Secret resource being referred to.
  18211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18212. maxLength: 63
  18213. minLength: 1
  18214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18215. type: string
  18216. type: object
  18217. required:
  18218. - clientId
  18219. - clientSecret
  18220. type: object
  18221. type: object
  18222. caBundle:
  18223. description: |-
  18224. CABundle is a PEM-encoded CA certificate bundle used to validate
  18225. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  18226. format: byte
  18227. type: string
  18228. caProvider:
  18229. description: |-
  18230. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  18231. The certificate is used to validate the Infisical server's TLS certificate.
  18232. Mutually exclusive with CABundle.
  18233. properties:
  18234. key:
  18235. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18236. maxLength: 253
  18237. minLength: 1
  18238. pattern: ^[-._a-zA-Z0-9]+$
  18239. type: string
  18240. name:
  18241. description: The name of the object located at the provider type.
  18242. maxLength: 253
  18243. minLength: 1
  18244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18245. type: string
  18246. namespace:
  18247. description: |-
  18248. The namespace the Provider type is in.
  18249. Can only be defined when used in a ClusterSecretStore.
  18250. maxLength: 63
  18251. minLength: 1
  18252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18253. type: string
  18254. type:
  18255. description: The type of provider to use such as "Secret", or "ConfigMap".
  18256. enum:
  18257. - Secret
  18258. - ConfigMap
  18259. type: string
  18260. required:
  18261. - name
  18262. - type
  18263. type: object
  18264. hostAPI:
  18265. default: https://app.infisical.com/api
  18266. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  18267. type: string
  18268. secretsScope:
  18269. description: SecretsScope defines the scope of the secrets within the workspace
  18270. properties:
  18271. environmentSlug:
  18272. description: EnvironmentSlug is the required slug identifier for the environment.
  18273. type: string
  18274. expandSecretReferences:
  18275. default: true
  18276. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  18277. type: boolean
  18278. organizationSlug:
  18279. description: |-
  18280. OrganizationSlug is the optional slug that identifies the organization that will be used
  18281. during authentication. Useful for sub-organization setups
  18282. type: string
  18283. projectSlug:
  18284. description: ProjectSlug is the required slug identifier for the project.
  18285. type: string
  18286. recursive:
  18287. default: false
  18288. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  18289. type: boolean
  18290. secretsPath:
  18291. default: /
  18292. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  18293. type: string
  18294. required:
  18295. - environmentSlug
  18296. - projectSlug
  18297. type: object
  18298. required:
  18299. - auth
  18300. - secretsScope
  18301. type: object
  18302. keepersecurity:
  18303. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  18304. properties:
  18305. authRef:
  18306. description: |-
  18307. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18308. In some instances, `key` is a required field.
  18309. properties:
  18310. key:
  18311. description: |-
  18312. A key in the referenced Secret.
  18313. Some instances of this field may be defaulted, in others it may be required.
  18314. maxLength: 253
  18315. minLength: 1
  18316. pattern: ^[-._a-zA-Z0-9]+$
  18317. type: string
  18318. name:
  18319. description: The name of the Secret resource being referred to.
  18320. maxLength: 253
  18321. minLength: 1
  18322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18323. type: string
  18324. namespace:
  18325. description: |-
  18326. The namespace of the Secret resource being referred to.
  18327. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18328. maxLength: 63
  18329. minLength: 1
  18330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18331. type: string
  18332. type: object
  18333. folderID:
  18334. type: string
  18335. getByTitleFallback:
  18336. type: boolean
  18337. required:
  18338. - authRef
  18339. - folderID
  18340. type: object
  18341. kubernetes:
  18342. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18343. properties:
  18344. auth:
  18345. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18346. maxProperties: 1
  18347. minProperties: 1
  18348. properties:
  18349. cert:
  18350. description: has both clientCert and clientKey as secretKeySelector
  18351. properties:
  18352. clientCert:
  18353. description: |-
  18354. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18355. In some instances, `key` is a required field.
  18356. properties:
  18357. key:
  18358. description: |-
  18359. A key in the referenced Secret.
  18360. Some instances of this field may be defaulted, in others it may be required.
  18361. maxLength: 253
  18362. minLength: 1
  18363. pattern: ^[-._a-zA-Z0-9]+$
  18364. type: string
  18365. name:
  18366. description: The name of the Secret resource being referred to.
  18367. maxLength: 253
  18368. minLength: 1
  18369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18370. type: string
  18371. namespace:
  18372. description: |-
  18373. The namespace of the Secret resource being referred to.
  18374. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18375. maxLength: 63
  18376. minLength: 1
  18377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18378. type: string
  18379. type: object
  18380. clientKey:
  18381. description: |-
  18382. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18383. In some instances, `key` is a required field.
  18384. properties:
  18385. key:
  18386. description: |-
  18387. A key in the referenced Secret.
  18388. Some instances of this field may be defaulted, in others it may be required.
  18389. maxLength: 253
  18390. minLength: 1
  18391. pattern: ^[-._a-zA-Z0-9]+$
  18392. type: string
  18393. name:
  18394. description: The name of the Secret resource being referred to.
  18395. maxLength: 253
  18396. minLength: 1
  18397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18398. type: string
  18399. namespace:
  18400. description: |-
  18401. The namespace of the Secret resource being referred to.
  18402. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18403. maxLength: 63
  18404. minLength: 1
  18405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18406. type: string
  18407. type: object
  18408. type: object
  18409. serviceAccount:
  18410. description: points to a service account that should be used for authentication
  18411. properties:
  18412. audiences:
  18413. description: |-
  18414. Audience specifies the `aud` claim for the service account token
  18415. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18416. then this audiences will be appended to the list
  18417. items:
  18418. type: string
  18419. type: array
  18420. name:
  18421. description: The name of the ServiceAccount resource being referred to.
  18422. maxLength: 253
  18423. minLength: 1
  18424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18425. type: string
  18426. namespace:
  18427. description: |-
  18428. Namespace of the resource being referred to.
  18429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18430. maxLength: 63
  18431. minLength: 1
  18432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18433. type: string
  18434. required:
  18435. - name
  18436. type: object
  18437. token:
  18438. description: use static token to authenticate with
  18439. properties:
  18440. bearerToken:
  18441. description: |-
  18442. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18443. In some instances, `key` is a required field.
  18444. properties:
  18445. key:
  18446. description: |-
  18447. A key in the referenced Secret.
  18448. Some instances of this field may be defaulted, in others it may be required.
  18449. maxLength: 253
  18450. minLength: 1
  18451. pattern: ^[-._a-zA-Z0-9]+$
  18452. type: string
  18453. name:
  18454. description: The name of the Secret resource being referred to.
  18455. maxLength: 253
  18456. minLength: 1
  18457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18458. type: string
  18459. namespace:
  18460. description: |-
  18461. The namespace of the Secret resource being referred to.
  18462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18463. maxLength: 63
  18464. minLength: 1
  18465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18466. type: string
  18467. type: object
  18468. type: object
  18469. type: object
  18470. authRef:
  18471. description: A reference to a secret that contains the auth information.
  18472. properties:
  18473. key:
  18474. description: |-
  18475. A key in the referenced Secret.
  18476. Some instances of this field may be defaulted, in others it may be required.
  18477. maxLength: 253
  18478. minLength: 1
  18479. pattern: ^[-._a-zA-Z0-9]+$
  18480. type: string
  18481. name:
  18482. description: The name of the Secret resource being referred to.
  18483. maxLength: 253
  18484. minLength: 1
  18485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18486. type: string
  18487. namespace:
  18488. description: |-
  18489. The namespace of the Secret resource being referred to.
  18490. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18491. maxLength: 63
  18492. minLength: 1
  18493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18494. type: string
  18495. type: object
  18496. remoteNamespace:
  18497. default: default
  18498. description: Remote namespace to fetch the secrets from
  18499. maxLength: 63
  18500. minLength: 1
  18501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18502. type: string
  18503. server:
  18504. description: configures the Kubernetes server Address.
  18505. properties:
  18506. caBundle:
  18507. description: CABundle is a base64-encoded CA certificate
  18508. format: byte
  18509. type: string
  18510. caProvider:
  18511. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18512. properties:
  18513. key:
  18514. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18515. maxLength: 253
  18516. minLength: 1
  18517. pattern: ^[-._a-zA-Z0-9]+$
  18518. type: string
  18519. name:
  18520. description: The name of the object located at the provider type.
  18521. maxLength: 253
  18522. minLength: 1
  18523. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18524. type: string
  18525. namespace:
  18526. description: |-
  18527. The namespace the Provider type is in.
  18528. Can only be defined when used in a ClusterSecretStore.
  18529. maxLength: 63
  18530. minLength: 1
  18531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18532. type: string
  18533. type:
  18534. description: The type of provider to use such as "Secret", or "ConfigMap".
  18535. enum:
  18536. - Secret
  18537. - ConfigMap
  18538. type: string
  18539. required:
  18540. - name
  18541. - type
  18542. type: object
  18543. url:
  18544. default: kubernetes.default
  18545. description: configures the Kubernetes server Address.
  18546. type: string
  18547. type: object
  18548. type: object
  18549. nebiusmysterybox:
  18550. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  18551. properties:
  18552. apiDomain:
  18553. description: NebiusMysterybox API endpoint
  18554. type: string
  18555. auth:
  18556. description: Auth defines parameters to authenticate in MysteryBox
  18557. properties:
  18558. serviceAccountCredsSecretRef:
  18559. description: |-
  18560. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  18561. document with service account credentials used to get an IAM token.
  18562. Expected JSON structure:
  18563. {
  18564. "subject-credentials": {
  18565. "alg": "RS256",
  18566. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  18567. "kid": "<public-key-id>",
  18568. "iss": "<issuer-service-account-id>",
  18569. "sub": "<subject-service-account-id>"
  18570. }
  18571. }
  18572. properties:
  18573. key:
  18574. description: |-
  18575. A key in the referenced Secret.
  18576. Some instances of this field may be defaulted, in others it may be required.
  18577. maxLength: 253
  18578. minLength: 1
  18579. pattern: ^[-._a-zA-Z0-9]+$
  18580. type: string
  18581. name:
  18582. description: The name of the Secret resource being referred to.
  18583. maxLength: 253
  18584. minLength: 1
  18585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18586. type: string
  18587. namespace:
  18588. description: |-
  18589. The namespace of the Secret resource being referred to.
  18590. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18591. maxLength: 63
  18592. minLength: 1
  18593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18594. type: string
  18595. type: object
  18596. tokenSecretRef:
  18597. description: Token authenticates with Nebius Mysterybox by presenting a token.
  18598. properties:
  18599. key:
  18600. description: |-
  18601. A key in the referenced Secret.
  18602. Some instances of this field may be defaulted, in others it may be required.
  18603. maxLength: 253
  18604. minLength: 1
  18605. pattern: ^[-._a-zA-Z0-9]+$
  18606. type: string
  18607. name:
  18608. description: The name of the Secret resource being referred to.
  18609. maxLength: 253
  18610. minLength: 1
  18611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18612. type: string
  18613. namespace:
  18614. description: |-
  18615. The namespace of the Secret resource being referred to.
  18616. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18617. maxLength: 63
  18618. minLength: 1
  18619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18620. type: string
  18621. type: object
  18622. type: object
  18623. x-kubernetes-validations:
  18624. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18625. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18626. caProvider:
  18627. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18628. properties:
  18629. certSecretRef:
  18630. description: |-
  18631. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18632. In some instances, `key` is a required field.
  18633. properties:
  18634. key:
  18635. description: |-
  18636. A key in the referenced Secret.
  18637. Some instances of this field may be defaulted, in others it may be required.
  18638. maxLength: 253
  18639. minLength: 1
  18640. pattern: ^[-._a-zA-Z0-9]+$
  18641. type: string
  18642. name:
  18643. description: The name of the Secret resource being referred to.
  18644. maxLength: 253
  18645. minLength: 1
  18646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18647. type: string
  18648. namespace:
  18649. description: |-
  18650. The namespace of the Secret resource being referred to.
  18651. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18652. maxLength: 63
  18653. minLength: 1
  18654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18655. type: string
  18656. type: object
  18657. type: object
  18658. required:
  18659. - apiDomain
  18660. - auth
  18661. type: object
  18662. ngrok:
  18663. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18664. properties:
  18665. apiUrl:
  18666. default: https://api.ngrok.com
  18667. description: APIURL is the URL of the ngrok API.
  18668. type: string
  18669. auth:
  18670. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18671. maxProperties: 1
  18672. minProperties: 1
  18673. properties:
  18674. apiKey:
  18675. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18676. properties:
  18677. secretRef:
  18678. description: SecretRef is a reference to a secret containing the ngrok API key.
  18679. properties:
  18680. key:
  18681. description: |-
  18682. A key in the referenced Secret.
  18683. Some instances of this field may be defaulted, in others it may be required.
  18684. maxLength: 253
  18685. minLength: 1
  18686. pattern: ^[-._a-zA-Z0-9]+$
  18687. type: string
  18688. name:
  18689. description: The name of the Secret resource being referred to.
  18690. maxLength: 253
  18691. minLength: 1
  18692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18693. type: string
  18694. namespace:
  18695. description: |-
  18696. The namespace of the Secret resource being referred to.
  18697. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18698. maxLength: 63
  18699. minLength: 1
  18700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18701. type: string
  18702. type: object
  18703. type: object
  18704. type: object
  18705. vault:
  18706. description: Vault configures the ngrok vault to sync secrets with.
  18707. properties:
  18708. name:
  18709. description: Name is the name of the ngrok vault to sync secrets with.
  18710. type: string
  18711. required:
  18712. - name
  18713. type: object
  18714. required:
  18715. - auth
  18716. - vault
  18717. type: object
  18718. onboardbase:
  18719. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18720. properties:
  18721. apiHost:
  18722. default: https://public.onboardbase.com/api/v1/
  18723. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18724. type: string
  18725. auth:
  18726. description: Auth configures how the Operator authenticates with the Onboardbase API
  18727. properties:
  18728. apiKeyRef:
  18729. description: |-
  18730. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18731. It is used to recognize and authorize access to a project and environment within onboardbase
  18732. properties:
  18733. key:
  18734. description: |-
  18735. A key in the referenced Secret.
  18736. Some instances of this field may be defaulted, in others it may be required.
  18737. maxLength: 253
  18738. minLength: 1
  18739. pattern: ^[-._a-zA-Z0-9]+$
  18740. type: string
  18741. name:
  18742. description: The name of the Secret resource being referred to.
  18743. maxLength: 253
  18744. minLength: 1
  18745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18746. type: string
  18747. namespace:
  18748. description: |-
  18749. The namespace of the Secret resource being referred to.
  18750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18751. maxLength: 63
  18752. minLength: 1
  18753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18754. type: string
  18755. type: object
  18756. passcodeRef:
  18757. description: OnboardbasePasscode is the passcode attached to the API Key
  18758. properties:
  18759. key:
  18760. description: |-
  18761. A key in the referenced Secret.
  18762. Some instances of this field may be defaulted, in others it may be required.
  18763. maxLength: 253
  18764. minLength: 1
  18765. pattern: ^[-._a-zA-Z0-9]+$
  18766. type: string
  18767. name:
  18768. description: The name of the Secret resource being referred to.
  18769. maxLength: 253
  18770. minLength: 1
  18771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18772. type: string
  18773. namespace:
  18774. description: |-
  18775. The namespace of the Secret resource being referred to.
  18776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18777. maxLength: 63
  18778. minLength: 1
  18779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18780. type: string
  18781. type: object
  18782. required:
  18783. - apiKeyRef
  18784. - passcodeRef
  18785. type: object
  18786. environment:
  18787. default: development
  18788. description: Environment is the name of an environmnent within a project to pull the secrets from
  18789. type: string
  18790. project:
  18791. default: development
  18792. description: Project is an onboardbase project that the secrets should be pulled from
  18793. type: string
  18794. required:
  18795. - apiHost
  18796. - auth
  18797. - environment
  18798. - project
  18799. type: object
  18800. onepassword:
  18801. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18802. properties:
  18803. auth:
  18804. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18805. properties:
  18806. secretRef:
  18807. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18808. properties:
  18809. connectTokenSecretRef:
  18810. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18811. properties:
  18812. key:
  18813. description: |-
  18814. A key in the referenced Secret.
  18815. Some instances of this field may be defaulted, in others it may be required.
  18816. maxLength: 253
  18817. minLength: 1
  18818. pattern: ^[-._a-zA-Z0-9]+$
  18819. type: string
  18820. name:
  18821. description: The name of the Secret resource being referred to.
  18822. maxLength: 253
  18823. minLength: 1
  18824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18825. type: string
  18826. namespace:
  18827. description: |-
  18828. The namespace of the Secret resource being referred to.
  18829. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18830. maxLength: 63
  18831. minLength: 1
  18832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18833. type: string
  18834. type: object
  18835. required:
  18836. - connectTokenSecretRef
  18837. type: object
  18838. required:
  18839. - secretRef
  18840. type: object
  18841. connectHost:
  18842. description: ConnectHost defines the OnePassword Connect Server to connect to
  18843. type: string
  18844. vaults:
  18845. additionalProperties:
  18846. type: integer
  18847. description: Vaults defines which OnePassword vaults to search in which order
  18848. type: object
  18849. required:
  18850. - auth
  18851. - connectHost
  18852. - vaults
  18853. type: object
  18854. onepasswordSDK:
  18855. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18856. properties:
  18857. auth:
  18858. description: Auth defines the information necessary to authenticate against OnePassword API.
  18859. properties:
  18860. serviceAccountSecretRef:
  18861. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18862. properties:
  18863. key:
  18864. description: |-
  18865. A key in the referenced Secret.
  18866. Some instances of this field may be defaulted, in others it may be required.
  18867. maxLength: 253
  18868. minLength: 1
  18869. pattern: ^[-._a-zA-Z0-9]+$
  18870. type: string
  18871. name:
  18872. description: The name of the Secret resource being referred to.
  18873. maxLength: 253
  18874. minLength: 1
  18875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18876. type: string
  18877. namespace:
  18878. description: |-
  18879. The namespace of the Secret resource being referred to.
  18880. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18881. maxLength: 63
  18882. minLength: 1
  18883. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18884. type: string
  18885. type: object
  18886. required:
  18887. - serviceAccountSecretRef
  18888. type: object
  18889. cache:
  18890. description: |-
  18891. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18892. When enabled, secrets are cached with the specified TTL.
  18893. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18894. If omitted, caching is disabled (default).
  18895. cache: {} is a valid option to set.
  18896. properties:
  18897. maxSize:
  18898. default: 100
  18899. description: |-
  18900. MaxSize is the maximum number of secrets to cache.
  18901. When the cache is full, least-recently-used entries are evicted.
  18902. minimum: 1
  18903. type: integer
  18904. ttl:
  18905. default: 5m
  18906. description: |-
  18907. TTL is the time-to-live for cached secrets.
  18908. Format: duration string (e.g., "5m", "1h", "30s")
  18909. type: string
  18910. type: object
  18911. integrationInfo:
  18912. description: |-
  18913. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18914. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18915. properties:
  18916. name:
  18917. default: 1Password SDK
  18918. description: Name defaults to "1Password SDK".
  18919. type: string
  18920. version:
  18921. default: v1.0.0
  18922. description: Version defaults to "v1.0.0".
  18923. type: string
  18924. type: object
  18925. vault:
  18926. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18927. type: string
  18928. required:
  18929. - auth
  18930. - vault
  18931. type: object
  18932. openBao:
  18933. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  18934. properties:
  18935. auth:
  18936. description: Auth configures how secret-manager authenticates with the OpenBao server.
  18937. properties:
  18938. appRole:
  18939. description: |-
  18940. AppRole authenticates with OpenBao using the [App Role auth mechanism],
  18941. with the role and secret stored in a Kubernetes Secret resource.
  18942. [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
  18943. properties:
  18944. path:
  18945. default: approle
  18946. description: |-
  18947. Path where the App Role authentication backend is mounted
  18948. in OpenBao, e.g: "approle"
  18949. type: string
  18950. roleId:
  18951. description: |-
  18952. RoleID configured in the App Role authentication backend when setting
  18953. up the authentication backend in OpenBao.
  18954. minLength: 1
  18955. type: string
  18956. roleRef:
  18957. description: |-
  18958. Reference to a key in a Secret that contains the App Role ID used
  18959. to authenticate with OpenBao.
  18960. The `key` field must be specified and denotes which entry within the Secret
  18961. resource is used as the app role id.
  18962. properties:
  18963. key:
  18964. description: |-
  18965. A key in the referenced Secret.
  18966. Some instances of this field may be defaulted, in others it may be required.
  18967. maxLength: 253
  18968. minLength: 1
  18969. pattern: ^[-._a-zA-Z0-9]+$
  18970. type: string
  18971. name:
  18972. description: The name of the Secret resource being referred to.
  18973. maxLength: 253
  18974. minLength: 1
  18975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18976. type: string
  18977. namespace:
  18978. description: |-
  18979. The namespace of the Secret resource being referred to.
  18980. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18981. maxLength: 63
  18982. minLength: 1
  18983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18984. type: string
  18985. type: object
  18986. secretRef:
  18987. description: |-
  18988. Reference to a key in a Secret that contains the App Role secret used
  18989. to authenticate with OpenBao.
  18990. The `key` field must be specified and denotes which entry within the Secret
  18991. resource is used as the app role secret.
  18992. properties:
  18993. key:
  18994. description: |-
  18995. A key in the referenced Secret.
  18996. Some instances of this field may be defaulted, in others it may be required.
  18997. maxLength: 253
  18998. minLength: 1
  18999. pattern: ^[-._a-zA-Z0-9]+$
  19000. type: string
  19001. name:
  19002. description: The name of the Secret resource being referred to.
  19003. maxLength: 253
  19004. minLength: 1
  19005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19006. type: string
  19007. namespace:
  19008. description: |-
  19009. The namespace of the Secret resource being referred to.
  19010. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19011. maxLength: 63
  19012. minLength: 1
  19013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19014. type: string
  19015. type: object
  19016. required:
  19017. - path
  19018. - secretRef
  19019. type: object
  19020. x-kubernetes-validations:
  19021. - message: exactly one of the fields in [roleId roleRef] must be set
  19022. rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1'
  19023. namespace:
  19024. description: |-
  19025. Name of the [OpenBao Namespace] to authenticate to. This can be different
  19026. than the namespace your secret is in. Namespaces is a set of features
  19027. within OpenBao that allows OpenBao environments to support secure
  19028. multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
  19029. if set, or empty otherwise
  19030. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  19031. type: string
  19032. tokenSecretRef:
  19033. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  19034. properties:
  19035. key:
  19036. description: |-
  19037. A key in the referenced Secret.
  19038. Some instances of this field may be defaulted, in others it may be required.
  19039. maxLength: 253
  19040. minLength: 1
  19041. pattern: ^[-._a-zA-Z0-9]+$
  19042. type: string
  19043. name:
  19044. description: The name of the Secret resource being referred to.
  19045. maxLength: 253
  19046. minLength: 1
  19047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19048. type: string
  19049. namespace:
  19050. description: |-
  19051. The namespace of the Secret resource being referred to.
  19052. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19053. maxLength: 63
  19054. minLength: 1
  19055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19056. type: string
  19057. type: object
  19058. userPass:
  19059. description: UserPass authenticates with OpenBao by passing a username/password pair
  19060. properties:
  19061. path:
  19062. default: userpass
  19063. description: |-
  19064. Path where the UserPassword authentication backend is mounted
  19065. in OpenBao, e.g: "userpass"
  19066. type: string
  19067. secretRef:
  19068. description: |-
  19069. SecretRef to a key in a Secret resource containing password for the user
  19070. used to authenticate with OpenBao using the [UserPass authentication
  19071. method]
  19072. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19073. properties:
  19074. key:
  19075. description: |-
  19076. A key in the referenced Secret.
  19077. Some instances of this field may be defaulted, in others it may be required.
  19078. maxLength: 253
  19079. minLength: 1
  19080. pattern: ^[-._a-zA-Z0-9]+$
  19081. type: string
  19082. name:
  19083. description: The name of the Secret resource being referred to.
  19084. maxLength: 253
  19085. minLength: 1
  19086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19087. type: string
  19088. namespace:
  19089. description: |-
  19090. The namespace of the Secret resource being referred to.
  19091. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19092. maxLength: 63
  19093. minLength: 1
  19094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19095. type: string
  19096. type: object
  19097. username:
  19098. description: |-
  19099. Username is a username used to authenticate using the [UserPass
  19100. authentication method]
  19101. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19102. type: string
  19103. required:
  19104. - path
  19105. - username
  19106. type: object
  19107. type: object
  19108. x-kubernetes-validations:
  19109. - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set
  19110. rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1'
  19111. caBundle:
  19112. description: |-
  19113. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  19114. this and `caProvider` are not set the system root certificates are used
  19115. to validate the TLS connection.
  19116. format: byte
  19117. type: string
  19118. caProvider:
  19119. description: |-
  19120. The provider for the CA bundle to use to validate OpenBao server
  19121. certificate. If this and `caBundle` are not set the system root
  19122. certificates are used to validate the TLS connection.
  19123. properties:
  19124. key:
  19125. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19126. maxLength: 253
  19127. minLength: 1
  19128. pattern: ^[-._a-zA-Z0-9]+$
  19129. type: string
  19130. name:
  19131. description: The name of the object located at the provider type.
  19132. maxLength: 253
  19133. minLength: 1
  19134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19135. type: string
  19136. namespace:
  19137. description: |-
  19138. The namespace the Provider type is in.
  19139. Can only be defined when used in a ClusterSecretStore.
  19140. maxLength: 63
  19141. minLength: 1
  19142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19143. type: string
  19144. type:
  19145. description: The type of provider to use such as "Secret", or "ConfigMap".
  19146. enum:
  19147. - Secret
  19148. - ConfigMap
  19149. type: string
  19150. required:
  19151. - name
  19152. - type
  19153. type: object
  19154. namespace:
  19155. description: |-
  19156. Name of the [OpenBao Namespace]. Namespaces is a set of features within
  19157. OpenBao that allows OpenBao environments to support secure multi-tenancy.
  19158. e.g: "ns1".
  19159. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  19160. type: string
  19161. path:
  19162. description: |-
  19163. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  19164. "secret". The v2 KV secret engine version specific "/data" path suffix
  19165. for fetching secrets from OpenBao is optional and will be appended
  19166. if not present in specified path.
  19167. type: string
  19168. server:
  19169. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  19170. type: string
  19171. version:
  19172. default: v2
  19173. description: |-
  19174. Version is the OpenBao KV secret engine version. This can be either "v1" or
  19175. "v2". Version defaults to "v2".
  19176. enum:
  19177. - v1
  19178. - v2
  19179. type: string
  19180. required:
  19181. - server
  19182. type: object
  19183. x-kubernetes-validations:
  19184. - message: at most one of the fields in [caBundle caProvider] may be set
  19185. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  19186. oracle:
  19187. description: Oracle configures this store to sync secrets using Oracle Vault provider
  19188. properties:
  19189. auth:
  19190. description: |-
  19191. Auth configures how secret-manager authenticates with the Oracle Vault.
  19192. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  19193. properties:
  19194. secretRef:
  19195. description: SecretRef to pass through sensitive information.
  19196. properties:
  19197. fingerprint:
  19198. description: Fingerprint is the fingerprint of the API private key.
  19199. properties:
  19200. key:
  19201. description: |-
  19202. A key in the referenced Secret.
  19203. Some instances of this field may be defaulted, in others it may be required.
  19204. maxLength: 253
  19205. minLength: 1
  19206. pattern: ^[-._a-zA-Z0-9]+$
  19207. type: string
  19208. name:
  19209. description: The name of the Secret resource being referred to.
  19210. maxLength: 253
  19211. minLength: 1
  19212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19213. type: string
  19214. namespace:
  19215. description: |-
  19216. The namespace of the Secret resource being referred to.
  19217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19218. maxLength: 63
  19219. minLength: 1
  19220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19221. type: string
  19222. type: object
  19223. privatekey:
  19224. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  19225. properties:
  19226. key:
  19227. description: |-
  19228. A key in the referenced Secret.
  19229. Some instances of this field may be defaulted, in others it may be required.
  19230. maxLength: 253
  19231. minLength: 1
  19232. pattern: ^[-._a-zA-Z0-9]+$
  19233. type: string
  19234. name:
  19235. description: The name of the Secret resource being referred to.
  19236. maxLength: 253
  19237. minLength: 1
  19238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19239. type: string
  19240. namespace:
  19241. description: |-
  19242. The namespace of the Secret resource being referred to.
  19243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19244. maxLength: 63
  19245. minLength: 1
  19246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19247. type: string
  19248. type: object
  19249. required:
  19250. - fingerprint
  19251. - privatekey
  19252. type: object
  19253. tenancy:
  19254. description: Tenancy is the tenancy OCID where user is located.
  19255. type: string
  19256. user:
  19257. description: User is an access OCID specific to the account.
  19258. type: string
  19259. required:
  19260. - secretRef
  19261. - tenancy
  19262. - user
  19263. type: object
  19264. compartment:
  19265. description: |-
  19266. Compartment is the vault compartment OCID.
  19267. Required for PushSecret
  19268. type: string
  19269. encryptionKey:
  19270. description: |-
  19271. EncryptionKey is the OCID of the encryption key within the vault.
  19272. Required for PushSecret
  19273. type: string
  19274. principalType:
  19275. description: |-
  19276. The type of principal to use for authentication. If left blank, the Auth struct will
  19277. determine the principal type. This optional field must be specified if using
  19278. workload identity.
  19279. enum:
  19280. - ""
  19281. - UserPrincipal
  19282. - InstancePrincipal
  19283. - Workload
  19284. type: string
  19285. region:
  19286. description: Region is the region where vault is located.
  19287. type: string
  19288. serviceAccountRef:
  19289. description: |-
  19290. ServiceAccountRef specified the service account
  19291. that should be used when authenticating with WorkloadIdentity.
  19292. properties:
  19293. audiences:
  19294. description: |-
  19295. Audience specifies the `aud` claim for the service account token
  19296. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19297. then this audiences will be appended to the list
  19298. items:
  19299. type: string
  19300. type: array
  19301. name:
  19302. description: The name of the ServiceAccount resource being referred to.
  19303. maxLength: 253
  19304. minLength: 1
  19305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19306. type: string
  19307. namespace:
  19308. description: |-
  19309. Namespace of the resource being referred to.
  19310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19311. maxLength: 63
  19312. minLength: 1
  19313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19314. type: string
  19315. required:
  19316. - name
  19317. type: object
  19318. vault:
  19319. description: Vault is the vault's OCID of the specific vault where secret is located.
  19320. type: string
  19321. required:
  19322. - region
  19323. - vault
  19324. type: object
  19325. ovh:
  19326. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  19327. properties:
  19328. auth:
  19329. description: Authentication method (mtls or token).
  19330. properties:
  19331. mtls:
  19332. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  19333. properties:
  19334. caBundle:
  19335. format: byte
  19336. type: string
  19337. caProvider:
  19338. description: |-
  19339. CAProvider provides a custom certificate authority for accessing the provider's store.
  19340. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  19341. properties:
  19342. key:
  19343. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19344. maxLength: 253
  19345. minLength: 1
  19346. pattern: ^[-._a-zA-Z0-9]+$
  19347. type: string
  19348. name:
  19349. description: The name of the object located at the provider type.
  19350. maxLength: 253
  19351. minLength: 1
  19352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19353. type: string
  19354. namespace:
  19355. description: |-
  19356. The namespace the Provider type is in.
  19357. Can only be defined when used in a ClusterSecretStore.
  19358. maxLength: 63
  19359. minLength: 1
  19360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19361. type: string
  19362. type:
  19363. description: The type of provider to use such as "Secret", or "ConfigMap".
  19364. enum:
  19365. - Secret
  19366. - ConfigMap
  19367. type: string
  19368. required:
  19369. - name
  19370. - type
  19371. type: object
  19372. certSecretRef:
  19373. description: |-
  19374. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19375. In some instances, `key` is a required field.
  19376. properties:
  19377. key:
  19378. description: |-
  19379. A key in the referenced Secret.
  19380. Some instances of this field may be defaulted, in others it may be required.
  19381. maxLength: 253
  19382. minLength: 1
  19383. pattern: ^[-._a-zA-Z0-9]+$
  19384. type: string
  19385. name:
  19386. description: The name of the Secret resource being referred to.
  19387. maxLength: 253
  19388. minLength: 1
  19389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19390. type: string
  19391. namespace:
  19392. description: |-
  19393. The namespace of the Secret resource being referred to.
  19394. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19395. maxLength: 63
  19396. minLength: 1
  19397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19398. type: string
  19399. type: object
  19400. keySecretRef:
  19401. description: |-
  19402. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19403. In some instances, `key` is a required field.
  19404. properties:
  19405. key:
  19406. description: |-
  19407. A key in the referenced Secret.
  19408. Some instances of this field may be defaulted, in others it may be required.
  19409. maxLength: 253
  19410. minLength: 1
  19411. pattern: ^[-._a-zA-Z0-9]+$
  19412. type: string
  19413. name:
  19414. description: The name of the Secret resource being referred to.
  19415. maxLength: 253
  19416. minLength: 1
  19417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19418. type: string
  19419. namespace:
  19420. description: |-
  19421. The namespace of the Secret resource being referred to.
  19422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19423. maxLength: 63
  19424. minLength: 1
  19425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19426. type: string
  19427. type: object
  19428. required:
  19429. - certSecretRef
  19430. - keySecretRef
  19431. type: object
  19432. token:
  19433. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  19434. properties:
  19435. tokenSecretRef:
  19436. description: |-
  19437. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19438. In some instances, `key` is a required field.
  19439. properties:
  19440. key:
  19441. description: |-
  19442. A key in the referenced Secret.
  19443. Some instances of this field may be defaulted, in others it may be required.
  19444. maxLength: 253
  19445. minLength: 1
  19446. pattern: ^[-._a-zA-Z0-9]+$
  19447. type: string
  19448. name:
  19449. description: The name of the Secret resource being referred to.
  19450. maxLength: 253
  19451. minLength: 1
  19452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19453. type: string
  19454. namespace:
  19455. description: |-
  19456. The namespace of the Secret resource being referred to.
  19457. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19458. maxLength: 63
  19459. minLength: 1
  19460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19461. type: string
  19462. type: object
  19463. required:
  19464. - tokenSecretRef
  19465. type: object
  19466. type: object
  19467. casRequired:
  19468. description: 'Enables or disables check-and-set (CAS) (default: false).'
  19469. type: boolean
  19470. okmsTimeout:
  19471. default: 30
  19472. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  19473. format: int32
  19474. minimum: 1
  19475. type: integer
  19476. okmsid:
  19477. description: specifies the OKMS ID.
  19478. type: string
  19479. server:
  19480. description: specifies the OKMS server endpoint.
  19481. type: string
  19482. required:
  19483. - auth
  19484. - okmsid
  19485. - server
  19486. type: object
  19487. passbolt:
  19488. description: |-
  19489. PassboltProvider provides access to Passbolt secrets manager.
  19490. See: https://www.passbolt.com.
  19491. properties:
  19492. auth:
  19493. description: Auth defines the information necessary to authenticate against Passbolt Server
  19494. properties:
  19495. passwordSecretRef:
  19496. description: |-
  19497. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19498. In some instances, `key` is a required field.
  19499. properties:
  19500. key:
  19501. description: |-
  19502. A key in the referenced Secret.
  19503. Some instances of this field may be defaulted, in others it may be required.
  19504. maxLength: 253
  19505. minLength: 1
  19506. pattern: ^[-._a-zA-Z0-9]+$
  19507. type: string
  19508. name:
  19509. description: The name of the Secret resource being referred to.
  19510. maxLength: 253
  19511. minLength: 1
  19512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19513. type: string
  19514. namespace:
  19515. description: |-
  19516. The namespace of the Secret resource being referred to.
  19517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19518. maxLength: 63
  19519. minLength: 1
  19520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19521. type: string
  19522. type: object
  19523. privateKeySecretRef:
  19524. description: |-
  19525. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19526. In some instances, `key` is a required field.
  19527. properties:
  19528. key:
  19529. description: |-
  19530. A key in the referenced Secret.
  19531. Some instances of this field may be defaulted, in others it may be required.
  19532. maxLength: 253
  19533. minLength: 1
  19534. pattern: ^[-._a-zA-Z0-9]+$
  19535. type: string
  19536. name:
  19537. description: The name of the Secret resource being referred to.
  19538. maxLength: 253
  19539. minLength: 1
  19540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19541. type: string
  19542. namespace:
  19543. description: |-
  19544. The namespace of the Secret resource being referred to.
  19545. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19546. maxLength: 63
  19547. minLength: 1
  19548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19549. type: string
  19550. type: object
  19551. required:
  19552. - passwordSecretRef
  19553. - privateKeySecretRef
  19554. type: object
  19555. caBundle:
  19556. description: |-
  19557. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  19558. if the Host URL is using HTTPS protocol. If not set the system root certificates
  19559. are used to validate the TLS connection.
  19560. format: byte
  19561. type: string
  19562. caProvider:
  19563. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  19564. properties:
  19565. key:
  19566. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19567. maxLength: 253
  19568. minLength: 1
  19569. pattern: ^[-._a-zA-Z0-9]+$
  19570. type: string
  19571. name:
  19572. description: The name of the object located at the provider type.
  19573. maxLength: 253
  19574. minLength: 1
  19575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19576. type: string
  19577. namespace:
  19578. description: |-
  19579. The namespace the Provider type is in.
  19580. Can only be defined when used in a ClusterSecretStore.
  19581. maxLength: 63
  19582. minLength: 1
  19583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19584. type: string
  19585. type:
  19586. description: The type of provider to use such as "Secret", or "ConfigMap".
  19587. enum:
  19588. - Secret
  19589. - ConfigMap
  19590. type: string
  19591. required:
  19592. - name
  19593. - type
  19594. type: object
  19595. host:
  19596. description: Host defines the Passbolt Server to connect to
  19597. type: string
  19598. required:
  19599. - auth
  19600. - host
  19601. type: object
  19602. passworddepot:
  19603. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  19604. properties:
  19605. auth:
  19606. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  19607. properties:
  19608. secretRef:
  19609. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  19610. properties:
  19611. credentials:
  19612. description: Username / Password is used for authentication.
  19613. properties:
  19614. key:
  19615. description: |-
  19616. A key in the referenced Secret.
  19617. Some instances of this field may be defaulted, in others it may be required.
  19618. maxLength: 253
  19619. minLength: 1
  19620. pattern: ^[-._a-zA-Z0-9]+$
  19621. type: string
  19622. name:
  19623. description: The name of the Secret resource being referred to.
  19624. maxLength: 253
  19625. minLength: 1
  19626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19627. type: string
  19628. namespace:
  19629. description: |-
  19630. The namespace of the Secret resource being referred to.
  19631. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19632. maxLength: 63
  19633. minLength: 1
  19634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19635. type: string
  19636. type: object
  19637. type: object
  19638. required:
  19639. - secretRef
  19640. type: object
  19641. database:
  19642. description: Database to use as source
  19643. type: string
  19644. host:
  19645. description: URL configures the Password Depot instance URL.
  19646. type: string
  19647. required:
  19648. - auth
  19649. - database
  19650. - host
  19651. type: object
  19652. previder:
  19653. description: Previder configures this store to sync secrets using the Previder provider
  19654. properties:
  19655. auth:
  19656. description: PreviderAuth contains a secretRef for credentials.
  19657. properties:
  19658. secretRef:
  19659. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  19660. properties:
  19661. accessToken:
  19662. description: The AccessToken is used for authentication
  19663. properties:
  19664. key:
  19665. description: |-
  19666. A key in the referenced Secret.
  19667. Some instances of this field may be defaulted, in others it may be required.
  19668. maxLength: 253
  19669. minLength: 1
  19670. pattern: ^[-._a-zA-Z0-9]+$
  19671. type: string
  19672. name:
  19673. description: The name of the Secret resource being referred to.
  19674. maxLength: 253
  19675. minLength: 1
  19676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19677. type: string
  19678. namespace:
  19679. description: |-
  19680. The namespace of the Secret resource being referred to.
  19681. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19682. maxLength: 63
  19683. minLength: 1
  19684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19685. type: string
  19686. type: object
  19687. required:
  19688. - accessToken
  19689. type: object
  19690. type: object
  19691. baseUri:
  19692. type: string
  19693. required:
  19694. - auth
  19695. type: object
  19696. pulumi:
  19697. description: Pulumi configures this store to sync secrets using the Pulumi provider
  19698. properties:
  19699. accessToken:
  19700. description: |-
  19701. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  19702. Deprecated: Use auth.accessToken instead.
  19703. properties:
  19704. secretRef:
  19705. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19706. properties:
  19707. key:
  19708. description: |-
  19709. A key in the referenced Secret.
  19710. Some instances of this field may be defaulted, in others it may be required.
  19711. maxLength: 253
  19712. minLength: 1
  19713. pattern: ^[-._a-zA-Z0-9]+$
  19714. type: string
  19715. name:
  19716. description: The name of the Secret resource being referred to.
  19717. maxLength: 253
  19718. minLength: 1
  19719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19720. type: string
  19721. namespace:
  19722. description: |-
  19723. The namespace of the Secret resource being referred to.
  19724. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19725. maxLength: 63
  19726. minLength: 1
  19727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19728. type: string
  19729. type: object
  19730. type: object
  19731. apiUrl:
  19732. default: https://api.pulumi.com/api/esc
  19733. description: APIURL is the URL of the Pulumi API.
  19734. type: string
  19735. auth:
  19736. description: |-
  19737. Auth configures how the Operator authenticates with the Pulumi API.
  19738. Either auth or the deprecated accessToken field must be specified.
  19739. properties:
  19740. accessToken:
  19741. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  19742. properties:
  19743. secretRef:
  19744. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19745. properties:
  19746. key:
  19747. description: |-
  19748. A key in the referenced Secret.
  19749. Some instances of this field may be defaulted, in others it may be required.
  19750. maxLength: 253
  19751. minLength: 1
  19752. pattern: ^[-._a-zA-Z0-9]+$
  19753. type: string
  19754. name:
  19755. description: The name of the Secret resource being referred to.
  19756. maxLength: 253
  19757. minLength: 1
  19758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19759. type: string
  19760. namespace:
  19761. description: |-
  19762. The namespace of the Secret resource being referred to.
  19763. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19764. maxLength: 63
  19765. minLength: 1
  19766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19767. type: string
  19768. type: object
  19769. type: object
  19770. oidcConfig:
  19771. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  19772. properties:
  19773. expirationSeconds:
  19774. default: 600
  19775. description: |-
  19776. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  19777. Defaults to 10 minutes.
  19778. format: int64
  19779. minimum: 600
  19780. type: integer
  19781. organization:
  19782. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  19783. type: string
  19784. serviceAccountRef:
  19785. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  19786. properties:
  19787. audiences:
  19788. description: |-
  19789. Audience specifies the `aud` claim for the service account token
  19790. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19791. then this audiences will be appended to the list
  19792. items:
  19793. type: string
  19794. type: array
  19795. name:
  19796. description: The name of the ServiceAccount resource being referred to.
  19797. maxLength: 253
  19798. minLength: 1
  19799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19800. type: string
  19801. namespace:
  19802. description: |-
  19803. Namespace of the resource being referred to.
  19804. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19805. maxLength: 63
  19806. minLength: 1
  19807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19808. type: string
  19809. required:
  19810. - name
  19811. type: object
  19812. required:
  19813. - organization
  19814. - serviceAccountRef
  19815. type: object
  19816. type: object
  19817. x-kubernetes-validations:
  19818. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19819. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19820. environment:
  19821. description: |-
  19822. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19823. dynamically retrieved values from supported providers including all major clouds,
  19824. and other Pulumi ESC environments.
  19825. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19826. type: string
  19827. organization:
  19828. description: |-
  19829. Organization are a space to collaborate on shared projects and stacks.
  19830. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19831. type: string
  19832. project:
  19833. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19834. type: string
  19835. required:
  19836. - environment
  19837. - organization
  19838. - project
  19839. type: object
  19840. x-kubernetes-validations:
  19841. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19842. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19843. scaleway:
  19844. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19845. properties:
  19846. accessKey:
  19847. description: AccessKey is the non-secret part of the api key.
  19848. properties:
  19849. secretRef:
  19850. description: SecretRef references a key in a secret that will be used as value.
  19851. properties:
  19852. key:
  19853. description: |-
  19854. A key in the referenced Secret.
  19855. Some instances of this field may be defaulted, in others it may be required.
  19856. maxLength: 253
  19857. minLength: 1
  19858. pattern: ^[-._a-zA-Z0-9]+$
  19859. type: string
  19860. name:
  19861. description: The name of the Secret resource being referred to.
  19862. maxLength: 253
  19863. minLength: 1
  19864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19865. type: string
  19866. namespace:
  19867. description: |-
  19868. The namespace of the Secret resource being referred to.
  19869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19870. maxLength: 63
  19871. minLength: 1
  19872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19873. type: string
  19874. type: object
  19875. value:
  19876. description: Value can be specified directly to set a value without using a secret.
  19877. type: string
  19878. type: object
  19879. apiUrl:
  19880. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19881. type: string
  19882. projectId:
  19883. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19884. type: string
  19885. region:
  19886. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19887. type: string
  19888. secretKey:
  19889. description: SecretKey is the non-secret part of the api key.
  19890. properties:
  19891. secretRef:
  19892. description: SecretRef references a key in a secret that will be used as value.
  19893. properties:
  19894. key:
  19895. description: |-
  19896. A key in the referenced Secret.
  19897. Some instances of this field may be defaulted, in others it may be required.
  19898. maxLength: 253
  19899. minLength: 1
  19900. pattern: ^[-._a-zA-Z0-9]+$
  19901. type: string
  19902. name:
  19903. description: The name of the Secret resource being referred to.
  19904. maxLength: 253
  19905. minLength: 1
  19906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19907. type: string
  19908. namespace:
  19909. description: |-
  19910. The namespace of the Secret resource being referred to.
  19911. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19912. maxLength: 63
  19913. minLength: 1
  19914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19915. type: string
  19916. type: object
  19917. value:
  19918. description: Value can be specified directly to set a value without using a secret.
  19919. type: string
  19920. type: object
  19921. required:
  19922. - accessKey
  19923. - projectId
  19924. - region
  19925. - secretKey
  19926. type: object
  19927. secretserver:
  19928. description: |-
  19929. SecretServer configures this store to sync secrets using SecretServer provider
  19930. https://docs.delinea.com/online-help/secret-server/start.htm
  19931. properties:
  19932. caBundle:
  19933. description: |-
  19934. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19935. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19936. are used to validate the TLS connection.
  19937. format: byte
  19938. type: string
  19939. caProvider:
  19940. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19941. properties:
  19942. key:
  19943. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19944. maxLength: 253
  19945. minLength: 1
  19946. pattern: ^[-._a-zA-Z0-9]+$
  19947. type: string
  19948. name:
  19949. description: The name of the object located at the provider type.
  19950. maxLength: 253
  19951. minLength: 1
  19952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19953. type: string
  19954. namespace:
  19955. description: |-
  19956. The namespace the Provider type is in.
  19957. Can only be defined when used in a ClusterSecretStore.
  19958. maxLength: 63
  19959. minLength: 1
  19960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19961. type: string
  19962. type:
  19963. description: The type of provider to use such as "Secret", or "ConfigMap".
  19964. enum:
  19965. - Secret
  19966. - ConfigMap
  19967. type: string
  19968. required:
  19969. - name
  19970. - type
  19971. type: object
  19972. domain:
  19973. description: Domain is the secret server domain.
  19974. type: string
  19975. password:
  19976. description: Password is the secret server account password.
  19977. properties:
  19978. secretRef:
  19979. description: SecretRef references a key in a secret that will be used as value.
  19980. properties:
  19981. key:
  19982. description: |-
  19983. A key in the referenced Secret.
  19984. Some instances of this field may be defaulted, in others it may be required.
  19985. maxLength: 253
  19986. minLength: 1
  19987. pattern: ^[-._a-zA-Z0-9]+$
  19988. type: string
  19989. name:
  19990. description: The name of the Secret resource being referred to.
  19991. maxLength: 253
  19992. minLength: 1
  19993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19994. type: string
  19995. namespace:
  19996. description: |-
  19997. The namespace of the Secret resource being referred to.
  19998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19999. maxLength: 63
  20000. minLength: 1
  20001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20002. type: string
  20003. type: object
  20004. value:
  20005. description: Value can be specified directly to set a value without using a secret.
  20006. type: string
  20007. type: object
  20008. serverURL:
  20009. description: |-
  20010. ServerURL
  20011. URL to your secret server installation
  20012. type: string
  20013. username:
  20014. description: Username is the secret server account username.
  20015. properties:
  20016. secretRef:
  20017. description: SecretRef references a key in a secret that will be used as value.
  20018. properties:
  20019. key:
  20020. description: |-
  20021. A key in the referenced Secret.
  20022. Some instances of this field may be defaulted, in others it may be required.
  20023. maxLength: 253
  20024. minLength: 1
  20025. pattern: ^[-._a-zA-Z0-9]+$
  20026. type: string
  20027. name:
  20028. description: The name of the Secret resource being referred to.
  20029. maxLength: 253
  20030. minLength: 1
  20031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20032. type: string
  20033. namespace:
  20034. description: |-
  20035. The namespace of the Secret resource being referred to.
  20036. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20037. maxLength: 63
  20038. minLength: 1
  20039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20040. type: string
  20041. type: object
  20042. value:
  20043. description: Value can be specified directly to set a value without using a secret.
  20044. type: string
  20045. type: object
  20046. required:
  20047. - password
  20048. - serverURL
  20049. - username
  20050. type: object
  20051. senhasegura:
  20052. description: Senhasegura configures this store to sync secrets using senhasegura provider
  20053. properties:
  20054. auth:
  20055. description: Auth defines parameters to authenticate in senhasegura
  20056. properties:
  20057. clientId:
  20058. type: string
  20059. clientSecretSecretRef:
  20060. description: |-
  20061. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20062. In some instances, `key` is a required field.
  20063. properties:
  20064. key:
  20065. description: |-
  20066. A key in the referenced Secret.
  20067. Some instances of this field may be defaulted, in others it may be required.
  20068. maxLength: 253
  20069. minLength: 1
  20070. pattern: ^[-._a-zA-Z0-9]+$
  20071. type: string
  20072. name:
  20073. description: The name of the Secret resource being referred to.
  20074. maxLength: 253
  20075. minLength: 1
  20076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20077. type: string
  20078. namespace:
  20079. description: |-
  20080. The namespace of the Secret resource being referred to.
  20081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20082. maxLength: 63
  20083. minLength: 1
  20084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20085. type: string
  20086. type: object
  20087. required:
  20088. - clientId
  20089. - clientSecretSecretRef
  20090. type: object
  20091. ignoreSslCertificate:
  20092. default: false
  20093. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  20094. type: boolean
  20095. module:
  20096. description: Module defines which senhasegura module should be used to get secrets
  20097. type: string
  20098. url:
  20099. description: URL of senhasegura
  20100. type: string
  20101. required:
  20102. - auth
  20103. - module
  20104. - url
  20105. type: object
  20106. vault:
  20107. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  20108. properties:
  20109. auth:
  20110. description: Auth configures how secret-manager authenticates with the Vault server.
  20111. properties:
  20112. appRole:
  20113. description: |-
  20114. AppRole authenticates with Vault using the App Role auth mechanism,
  20115. with the role and secret stored in a Kubernetes Secret resource.
  20116. properties:
  20117. path:
  20118. default: approle
  20119. description: |-
  20120. Path where the App Role authentication backend is mounted
  20121. in Vault, e.g: "approle"
  20122. type: string
  20123. roleId:
  20124. description: |-
  20125. RoleID configured in the App Role authentication backend when setting
  20126. up the authentication backend in Vault.
  20127. type: string
  20128. roleRef:
  20129. description: |-
  20130. Reference to a key in a Secret that contains the App Role ID used
  20131. to authenticate with Vault.
  20132. The `key` field must be specified and denotes which entry within the Secret
  20133. resource is used as the app role id.
  20134. properties:
  20135. key:
  20136. description: |-
  20137. A key in the referenced Secret.
  20138. Some instances of this field may be defaulted, in others it may be required.
  20139. maxLength: 253
  20140. minLength: 1
  20141. pattern: ^[-._a-zA-Z0-9]+$
  20142. type: string
  20143. name:
  20144. description: The name of the Secret resource being referred to.
  20145. maxLength: 253
  20146. minLength: 1
  20147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20148. type: string
  20149. namespace:
  20150. description: |-
  20151. The namespace of the Secret resource being referred to.
  20152. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20153. maxLength: 63
  20154. minLength: 1
  20155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20156. type: string
  20157. type: object
  20158. secretRef:
  20159. description: |-
  20160. Reference to a key in a Secret that contains the App Role secret used
  20161. to authenticate with Vault.
  20162. The `key` field must be specified and denotes which entry within the Secret
  20163. resource is used as the app role secret.
  20164. properties:
  20165. key:
  20166. description: |-
  20167. A key in the referenced Secret.
  20168. Some instances of this field may be defaulted, in others it may be required.
  20169. maxLength: 253
  20170. minLength: 1
  20171. pattern: ^[-._a-zA-Z0-9]+$
  20172. type: string
  20173. name:
  20174. description: The name of the Secret resource being referred to.
  20175. maxLength: 253
  20176. minLength: 1
  20177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20178. type: string
  20179. namespace:
  20180. description: |-
  20181. The namespace of the Secret resource being referred to.
  20182. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20183. maxLength: 63
  20184. minLength: 1
  20185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20186. type: string
  20187. type: object
  20188. required:
  20189. - path
  20190. - secretRef
  20191. type: object
  20192. cert:
  20193. description: |-
  20194. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  20195. Cert authentication method
  20196. properties:
  20197. clientCert:
  20198. description: |-
  20199. ClientCert is a certificate to authenticate using the Cert Vault
  20200. authentication method
  20201. properties:
  20202. key:
  20203. description: |-
  20204. A key in the referenced Secret.
  20205. Some instances of this field may be defaulted, in others it may be required.
  20206. maxLength: 253
  20207. minLength: 1
  20208. pattern: ^[-._a-zA-Z0-9]+$
  20209. type: string
  20210. name:
  20211. description: The name of the Secret resource being referred to.
  20212. maxLength: 253
  20213. minLength: 1
  20214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20215. type: string
  20216. namespace:
  20217. description: |-
  20218. The namespace of the Secret resource being referred to.
  20219. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20220. maxLength: 63
  20221. minLength: 1
  20222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20223. type: string
  20224. type: object
  20225. path:
  20226. default: cert
  20227. description: |-
  20228. Path where the Certificate authentication backend is mounted
  20229. in Vault, e.g: "cert"
  20230. type: string
  20231. secretRef:
  20232. description: |-
  20233. SecretRef to a key in a Secret resource containing client private key to
  20234. authenticate with Vault using the Cert authentication method
  20235. properties:
  20236. key:
  20237. description: |-
  20238. A key in the referenced Secret.
  20239. Some instances of this field may be defaulted, in others it may be required.
  20240. maxLength: 253
  20241. minLength: 1
  20242. pattern: ^[-._a-zA-Z0-9]+$
  20243. type: string
  20244. name:
  20245. description: The name of the Secret resource being referred to.
  20246. maxLength: 253
  20247. minLength: 1
  20248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20249. type: string
  20250. namespace:
  20251. description: |-
  20252. The namespace of the Secret resource being referred to.
  20253. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20254. maxLength: 63
  20255. minLength: 1
  20256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20257. type: string
  20258. type: object
  20259. vaultRole:
  20260. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  20261. type: string
  20262. type: object
  20263. gcp:
  20264. description: |-
  20265. Gcp authenticates with Vault using Google Cloud Platform authentication method
  20266. GCP authentication method
  20267. properties:
  20268. location:
  20269. description: Location optionally defines a location/region for the secret
  20270. type: string
  20271. path:
  20272. default: gcp
  20273. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  20274. type: string
  20275. projectID:
  20276. description: Project ID of the Google Cloud Platform project
  20277. type: string
  20278. role:
  20279. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  20280. type: string
  20281. secretRef:
  20282. description: Specify credentials in a Secret object
  20283. properties:
  20284. secretAccessKeySecretRef:
  20285. description: The SecretAccessKey is used for authentication
  20286. properties:
  20287. key:
  20288. description: |-
  20289. A key in the referenced Secret.
  20290. Some instances of this field may be defaulted, in others it may be required.
  20291. maxLength: 253
  20292. minLength: 1
  20293. pattern: ^[-._a-zA-Z0-9]+$
  20294. type: string
  20295. name:
  20296. description: The name of the Secret resource being referred to.
  20297. maxLength: 253
  20298. minLength: 1
  20299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20300. type: string
  20301. namespace:
  20302. description: |-
  20303. The namespace of the Secret resource being referred to.
  20304. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20305. maxLength: 63
  20306. minLength: 1
  20307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20308. type: string
  20309. type: object
  20310. type: object
  20311. serviceAccountRef:
  20312. description: ServiceAccountRef to a service account for impersonation
  20313. properties:
  20314. audiences:
  20315. description: |-
  20316. Audience specifies the `aud` claim for the service account token
  20317. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20318. then this audiences will be appended to the list
  20319. items:
  20320. type: string
  20321. type: array
  20322. name:
  20323. description: The name of the ServiceAccount resource being referred to.
  20324. maxLength: 253
  20325. minLength: 1
  20326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20327. type: string
  20328. namespace:
  20329. description: |-
  20330. Namespace of the resource being referred to.
  20331. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20332. maxLength: 63
  20333. minLength: 1
  20334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20335. type: string
  20336. required:
  20337. - name
  20338. type: object
  20339. workloadIdentity:
  20340. description: Specify a service account with Workload Identity
  20341. properties:
  20342. clusterLocation:
  20343. description: |-
  20344. ClusterLocation is the location of the cluster
  20345. If not specified, it fetches information from the metadata server
  20346. type: string
  20347. clusterName:
  20348. description: |-
  20349. ClusterName is the name of the cluster
  20350. If not specified, it fetches information from the metadata server
  20351. type: string
  20352. clusterProjectID:
  20353. description: |-
  20354. ClusterProjectID is the project ID of the cluster
  20355. If not specified, it fetches information from the metadata server
  20356. type: string
  20357. serviceAccountRef:
  20358. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20359. properties:
  20360. audiences:
  20361. description: |-
  20362. Audience specifies the `aud` claim for the service account token
  20363. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20364. then this audiences will be appended to the list
  20365. items:
  20366. type: string
  20367. type: array
  20368. name:
  20369. description: The name of the ServiceAccount resource being referred to.
  20370. maxLength: 253
  20371. minLength: 1
  20372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20373. type: string
  20374. namespace:
  20375. description: |-
  20376. Namespace of the resource being referred to.
  20377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20378. maxLength: 63
  20379. minLength: 1
  20380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20381. type: string
  20382. required:
  20383. - name
  20384. type: object
  20385. required:
  20386. - serviceAccountRef
  20387. type: object
  20388. required:
  20389. - role
  20390. type: object
  20391. iam:
  20392. description: |-
  20393. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  20394. AWS IAM authentication method
  20395. properties:
  20396. externalID:
  20397. description: AWS External ID set on assumed IAM roles
  20398. type: string
  20399. jwt:
  20400. description: Specify a service account with IRSA enabled
  20401. properties:
  20402. serviceAccountRef:
  20403. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20404. properties:
  20405. audiences:
  20406. description: |-
  20407. Audience specifies the `aud` claim for the service account token
  20408. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20409. then this audiences will be appended to the list
  20410. items:
  20411. type: string
  20412. type: array
  20413. name:
  20414. description: The name of the ServiceAccount resource being referred to.
  20415. maxLength: 253
  20416. minLength: 1
  20417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20418. type: string
  20419. namespace:
  20420. description: |-
  20421. Namespace of the resource being referred to.
  20422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20423. maxLength: 63
  20424. minLength: 1
  20425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20426. type: string
  20427. required:
  20428. - name
  20429. type: object
  20430. type: object
  20431. path:
  20432. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  20433. type: string
  20434. region:
  20435. description: AWS region
  20436. type: string
  20437. role:
  20438. description: This is the AWS role to be assumed before talking to vault
  20439. type: string
  20440. secretRef:
  20441. description: Specify credentials in a Secret object
  20442. properties:
  20443. accessKeyIDSecretRef:
  20444. description: The AccessKeyID is used for authentication
  20445. properties:
  20446. key:
  20447. description: |-
  20448. A key in the referenced Secret.
  20449. Some instances of this field may be defaulted, in others it may be required.
  20450. maxLength: 253
  20451. minLength: 1
  20452. pattern: ^[-._a-zA-Z0-9]+$
  20453. type: string
  20454. name:
  20455. description: The name of the Secret resource being referred to.
  20456. maxLength: 253
  20457. minLength: 1
  20458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20459. type: string
  20460. namespace:
  20461. description: |-
  20462. The namespace of the Secret resource being referred to.
  20463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20464. maxLength: 63
  20465. minLength: 1
  20466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20467. type: string
  20468. type: object
  20469. secretAccessKeySecretRef:
  20470. description: The SecretAccessKey is used for authentication
  20471. properties:
  20472. key:
  20473. description: |-
  20474. A key in the referenced Secret.
  20475. Some instances of this field may be defaulted, in others it may be required.
  20476. maxLength: 253
  20477. minLength: 1
  20478. pattern: ^[-._a-zA-Z0-9]+$
  20479. type: string
  20480. name:
  20481. description: The name of the Secret resource being referred to.
  20482. maxLength: 253
  20483. minLength: 1
  20484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20485. type: string
  20486. namespace:
  20487. description: |-
  20488. The namespace of the Secret resource being referred to.
  20489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20490. maxLength: 63
  20491. minLength: 1
  20492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20493. type: string
  20494. type: object
  20495. sessionTokenSecretRef:
  20496. description: |-
  20497. The SessionToken used for authentication
  20498. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  20499. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  20500. properties:
  20501. key:
  20502. description: |-
  20503. A key in the referenced Secret.
  20504. Some instances of this field may be defaulted, in others it may be required.
  20505. maxLength: 253
  20506. minLength: 1
  20507. pattern: ^[-._a-zA-Z0-9]+$
  20508. type: string
  20509. name:
  20510. description: The name of the Secret resource being referred to.
  20511. maxLength: 253
  20512. minLength: 1
  20513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20514. type: string
  20515. namespace:
  20516. description: |-
  20517. The namespace of the Secret resource being referred to.
  20518. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20519. maxLength: 63
  20520. minLength: 1
  20521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20522. type: string
  20523. type: object
  20524. type: object
  20525. vaultAwsIamServerID:
  20526. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  20527. type: string
  20528. vaultRole:
  20529. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  20530. type: string
  20531. required:
  20532. - vaultRole
  20533. type: object
  20534. jwt:
  20535. description: |-
  20536. Jwt authenticates with Vault by passing role and JWT token using the
  20537. JWT/OIDC authentication method
  20538. properties:
  20539. kubernetesServiceAccountToken:
  20540. description: |-
  20541. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  20542. a token for with the `TokenRequest` API.
  20543. properties:
  20544. audiences:
  20545. description: |-
  20546. Optional audiences field that will be used to request a temporary Kubernetes service
  20547. account token for the service account referenced by `serviceAccountRef`.
  20548. Defaults to a single audience `vault` it not specified.
  20549. Deprecated: use serviceAccountRef.Audiences instead
  20550. items:
  20551. type: string
  20552. type: array
  20553. expirationSeconds:
  20554. description: |-
  20555. Optional expiration time in seconds that will be used to request a temporary
  20556. Kubernetes service account token for the service account referenced by
  20557. `serviceAccountRef`.
  20558. Deprecated: this will be removed in the future.
  20559. Defaults to 10 minutes.
  20560. format: int64
  20561. type: integer
  20562. serviceAccountRef:
  20563. description: Service account field containing the name of a kubernetes ServiceAccount.
  20564. properties:
  20565. audiences:
  20566. description: |-
  20567. Audience specifies the `aud` claim for the service account token
  20568. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20569. then this audiences will be appended to the list
  20570. items:
  20571. type: string
  20572. type: array
  20573. name:
  20574. description: The name of the ServiceAccount resource being referred to.
  20575. maxLength: 253
  20576. minLength: 1
  20577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20578. type: string
  20579. namespace:
  20580. description: |-
  20581. Namespace of the resource being referred to.
  20582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20583. maxLength: 63
  20584. minLength: 1
  20585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20586. type: string
  20587. required:
  20588. - name
  20589. type: object
  20590. required:
  20591. - serviceAccountRef
  20592. type: object
  20593. path:
  20594. default: jwt
  20595. description: |-
  20596. Path where the JWT authentication backend is mounted
  20597. in Vault, e.g: "jwt"
  20598. type: string
  20599. role:
  20600. description: |-
  20601. Role is a JWT role to authenticate using the JWT/OIDC Vault
  20602. authentication method
  20603. type: string
  20604. secretRef:
  20605. description: |-
  20606. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  20607. authenticate with Vault using the JWT/OIDC authentication method.
  20608. properties:
  20609. key:
  20610. description: |-
  20611. A key in the referenced Secret.
  20612. Some instances of this field may be defaulted, in others it may be required.
  20613. maxLength: 253
  20614. minLength: 1
  20615. pattern: ^[-._a-zA-Z0-9]+$
  20616. type: string
  20617. name:
  20618. description: The name of the Secret resource being referred to.
  20619. maxLength: 253
  20620. minLength: 1
  20621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20622. type: string
  20623. namespace:
  20624. description: |-
  20625. The namespace of the Secret resource being referred to.
  20626. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20627. maxLength: 63
  20628. minLength: 1
  20629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20630. type: string
  20631. type: object
  20632. required:
  20633. - path
  20634. type: object
  20635. kubernetes:
  20636. description: |-
  20637. Kubernetes authenticates with Vault by passing the ServiceAccount
  20638. token stored in the named Secret resource to the Vault server.
  20639. properties:
  20640. mountPath:
  20641. default: kubernetes
  20642. description: |-
  20643. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  20644. "kubernetes"
  20645. type: string
  20646. role:
  20647. description: |-
  20648. A required field containing the Vault Role to assume. A Role binds a
  20649. Kubernetes ServiceAccount with a set of Vault policies.
  20650. type: string
  20651. secretRef:
  20652. description: |-
  20653. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20654. for authenticating with Vault. If a name is specified without a key,
  20655. `token` is the default. If one is not specified, the one bound to
  20656. the controller will be used.
  20657. properties:
  20658. key:
  20659. description: |-
  20660. A key in the referenced Secret.
  20661. Some instances of this field may be defaulted, in others it may be required.
  20662. maxLength: 253
  20663. minLength: 1
  20664. pattern: ^[-._a-zA-Z0-9]+$
  20665. type: string
  20666. name:
  20667. description: The name of the Secret resource being referred to.
  20668. maxLength: 253
  20669. minLength: 1
  20670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20671. type: string
  20672. namespace:
  20673. description: |-
  20674. The namespace of the Secret resource being referred to.
  20675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20676. maxLength: 63
  20677. minLength: 1
  20678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20679. type: string
  20680. type: object
  20681. serviceAccountRef:
  20682. description: |-
  20683. Optional service account field containing the name of a kubernetes ServiceAccount.
  20684. If the service account is specified, the service account secret token JWT will be used
  20685. for authenticating with Vault. If the service account selector is not supplied,
  20686. the secretRef will be used instead.
  20687. properties:
  20688. audiences:
  20689. description: |-
  20690. Audience specifies the `aud` claim for the service account token
  20691. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20692. then this audiences will be appended to the list
  20693. items:
  20694. type: string
  20695. type: array
  20696. name:
  20697. description: The name of the ServiceAccount resource being referred to.
  20698. maxLength: 253
  20699. minLength: 1
  20700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20701. type: string
  20702. namespace:
  20703. description: |-
  20704. Namespace of the resource being referred to.
  20705. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20706. maxLength: 63
  20707. minLength: 1
  20708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20709. type: string
  20710. required:
  20711. - name
  20712. type: object
  20713. required:
  20714. - mountPath
  20715. - role
  20716. type: object
  20717. ldap:
  20718. description: |-
  20719. Ldap authenticates with Vault by passing username/password pair using
  20720. the LDAP authentication method
  20721. properties:
  20722. path:
  20723. default: ldap
  20724. description: |-
  20725. Path where the LDAP authentication backend is mounted
  20726. in Vault, e.g: "ldap"
  20727. type: string
  20728. secretRef:
  20729. description: |-
  20730. SecretRef to a key in a Secret resource containing password for the LDAP
  20731. user used to authenticate with Vault using the LDAP authentication
  20732. method
  20733. properties:
  20734. key:
  20735. description: |-
  20736. A key in the referenced Secret.
  20737. Some instances of this field may be defaulted, in others it may be required.
  20738. maxLength: 253
  20739. minLength: 1
  20740. pattern: ^[-._a-zA-Z0-9]+$
  20741. type: string
  20742. name:
  20743. description: The name of the Secret resource being referred to.
  20744. maxLength: 253
  20745. minLength: 1
  20746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20747. type: string
  20748. namespace:
  20749. description: |-
  20750. The namespace of the Secret resource being referred to.
  20751. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20752. maxLength: 63
  20753. minLength: 1
  20754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20755. type: string
  20756. type: object
  20757. username:
  20758. description: |-
  20759. Username is an LDAP username used to authenticate using the LDAP Vault
  20760. authentication method
  20761. type: string
  20762. required:
  20763. - path
  20764. - username
  20765. type: object
  20766. namespace:
  20767. description: |-
  20768. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  20769. Namespaces is a set of features within Vault Enterprise that allows
  20770. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20771. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20772. This will default to Vault.Namespace field if set, or empty otherwise
  20773. type: string
  20774. tokenSecretRef:
  20775. description: TokenSecretRef authenticates with Vault by presenting a token.
  20776. properties:
  20777. key:
  20778. description: |-
  20779. A key in the referenced Secret.
  20780. Some instances of this field may be defaulted, in others it may be required.
  20781. maxLength: 253
  20782. minLength: 1
  20783. pattern: ^[-._a-zA-Z0-9]+$
  20784. type: string
  20785. name:
  20786. description: The name of the Secret resource being referred to.
  20787. maxLength: 253
  20788. minLength: 1
  20789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20790. type: string
  20791. namespace:
  20792. description: |-
  20793. The namespace of the Secret resource being referred to.
  20794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20795. maxLength: 63
  20796. minLength: 1
  20797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20798. type: string
  20799. type: object
  20800. userPass:
  20801. description: UserPass authenticates with Vault by passing username/password pair
  20802. properties:
  20803. path:
  20804. default: userpass
  20805. description: |-
  20806. Path where the UserPassword authentication backend is mounted
  20807. in Vault, e.g: "userpass"
  20808. type: string
  20809. secretRef:
  20810. description: |-
  20811. SecretRef to a key in a Secret resource containing password for the
  20812. user used to authenticate with Vault using the UserPass authentication
  20813. method
  20814. properties:
  20815. key:
  20816. description: |-
  20817. A key in the referenced Secret.
  20818. Some instances of this field may be defaulted, in others it may be required.
  20819. maxLength: 253
  20820. minLength: 1
  20821. pattern: ^[-._a-zA-Z0-9]+$
  20822. type: string
  20823. name:
  20824. description: The name of the Secret resource being referred to.
  20825. maxLength: 253
  20826. minLength: 1
  20827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20828. type: string
  20829. namespace:
  20830. description: |-
  20831. The namespace of the Secret resource being referred to.
  20832. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20833. maxLength: 63
  20834. minLength: 1
  20835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20836. type: string
  20837. type: object
  20838. username:
  20839. description: |-
  20840. Username is a username used to authenticate using the UserPass Vault
  20841. authentication method
  20842. type: string
  20843. required:
  20844. - path
  20845. - username
  20846. type: object
  20847. type: object
  20848. caBundle:
  20849. description: |-
  20850. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20851. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20852. plain HTTP protocol connection. If not set the system root certificates
  20853. are used to validate the TLS connection.
  20854. format: byte
  20855. type: string
  20856. caProvider:
  20857. description: The provider for the CA bundle to use to validate Vault server certificate.
  20858. properties:
  20859. key:
  20860. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20861. maxLength: 253
  20862. minLength: 1
  20863. pattern: ^[-._a-zA-Z0-9]+$
  20864. type: string
  20865. name:
  20866. description: The name of the object located at the provider type.
  20867. maxLength: 253
  20868. minLength: 1
  20869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20870. type: string
  20871. namespace:
  20872. description: |-
  20873. The namespace the Provider type is in.
  20874. Can only be defined when used in a ClusterSecretStore.
  20875. maxLength: 63
  20876. minLength: 1
  20877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20878. type: string
  20879. type:
  20880. description: The type of provider to use such as "Secret", or "ConfigMap".
  20881. enum:
  20882. - Secret
  20883. - ConfigMap
  20884. type: string
  20885. required:
  20886. - name
  20887. - type
  20888. type: object
  20889. checkAndSet:
  20890. description: |-
  20891. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20892. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20893. the current version of the secret to prevent unintentional overwrites.
  20894. properties:
  20895. required:
  20896. description: |-
  20897. Required when true, all write operations must include a check-and-set parameter.
  20898. This helps prevent unintentional overwrites of secrets.
  20899. type: boolean
  20900. type: object
  20901. forwardInconsistent:
  20902. description: |-
  20903. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20904. leader instead of simply retrying within a loop. This can increase performance if
  20905. the option is enabled serverside.
  20906. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20907. type: boolean
  20908. headers:
  20909. additionalProperties:
  20910. type: string
  20911. description: Headers to be added in Vault request
  20912. type: object
  20913. namespace:
  20914. description: |-
  20915. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20916. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20917. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20918. type: string
  20919. path:
  20920. description: |-
  20921. Path is the mount path of the Vault KV backend endpoint, e.g:
  20922. "secret". The v2 KV secret engine version specific "/data" path suffix
  20923. for fetching secrets from Vault is optional and will be appended
  20924. if not present in specified path.
  20925. type: string
  20926. readYourWrites:
  20927. description: |-
  20928. ReadYourWrites ensures isolated read-after-write semantics by
  20929. providing discovered cluster replication states in each request.
  20930. More information about eventual consistency in Vault can be found here
  20931. https://www.vaultproject.io/docs/enterprise/consistency
  20932. type: boolean
  20933. server:
  20934. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20935. type: string
  20936. tls:
  20937. description: |-
  20938. The configuration used for client side related TLS communication, when the Vault server
  20939. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20940. This parameter is ignored for plain HTTP protocol connection.
  20941. It's worth noting this configuration is different from the "TLS certificates auth method",
  20942. which is available under the `auth.cert` section.
  20943. properties:
  20944. certSecretRef:
  20945. description: |-
  20946. CertSecretRef is a certificate added to the transport layer
  20947. when communicating with the Vault server.
  20948. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20949. properties:
  20950. key:
  20951. description: |-
  20952. A key in the referenced Secret.
  20953. Some instances of this field may be defaulted, in others it may be required.
  20954. maxLength: 253
  20955. minLength: 1
  20956. pattern: ^[-._a-zA-Z0-9]+$
  20957. type: string
  20958. name:
  20959. description: The name of the Secret resource being referred to.
  20960. maxLength: 253
  20961. minLength: 1
  20962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20963. type: string
  20964. namespace:
  20965. description: |-
  20966. The namespace of the Secret resource being referred to.
  20967. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20968. maxLength: 63
  20969. minLength: 1
  20970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20971. type: string
  20972. type: object
  20973. keySecretRef:
  20974. description: |-
  20975. KeySecretRef to a key in a Secret resource containing client private key
  20976. added to the transport layer when communicating with the Vault server.
  20977. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  20978. properties:
  20979. key:
  20980. description: |-
  20981. A key in the referenced Secret.
  20982. Some instances of this field may be defaulted, in others it may be required.
  20983. maxLength: 253
  20984. minLength: 1
  20985. pattern: ^[-._a-zA-Z0-9]+$
  20986. type: string
  20987. name:
  20988. description: The name of the Secret resource being referred to.
  20989. maxLength: 253
  20990. minLength: 1
  20991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20992. type: string
  20993. namespace:
  20994. description: |-
  20995. The namespace of the Secret resource being referred to.
  20996. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20997. maxLength: 63
  20998. minLength: 1
  20999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21000. type: string
  21001. type: object
  21002. type: object
  21003. version:
  21004. default: v2
  21005. description: |-
  21006. Version is the Vault KV secret engine version. This can be either "v1" or
  21007. "v2". Version defaults to "v2".
  21008. enum:
  21009. - v1
  21010. - v2
  21011. type: string
  21012. required:
  21013. - server
  21014. type: object
  21015. volcengine:
  21016. description: Volcengine configures this store to sync secrets using the Volcengine provider
  21017. properties:
  21018. auth:
  21019. description: |-
  21020. Auth defines the authentication method to use.
  21021. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  21022. properties:
  21023. secretRef:
  21024. description: |-
  21025. SecretRef defines the static credentials to use for authentication.
  21026. If not set, IRSA is used.
  21027. properties:
  21028. accessKeyID:
  21029. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  21030. properties:
  21031. key:
  21032. description: |-
  21033. A key in the referenced Secret.
  21034. Some instances of this field may be defaulted, in others it may be required.
  21035. maxLength: 253
  21036. minLength: 1
  21037. pattern: ^[-._a-zA-Z0-9]+$
  21038. type: string
  21039. name:
  21040. description: The name of the Secret resource being referred to.
  21041. maxLength: 253
  21042. minLength: 1
  21043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21044. type: string
  21045. namespace:
  21046. description: |-
  21047. The namespace of the Secret resource being referred to.
  21048. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21049. maxLength: 63
  21050. minLength: 1
  21051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21052. type: string
  21053. type: object
  21054. secretAccessKey:
  21055. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  21056. properties:
  21057. key:
  21058. description: |-
  21059. A key in the referenced Secret.
  21060. Some instances of this field may be defaulted, in others it may be required.
  21061. maxLength: 253
  21062. minLength: 1
  21063. pattern: ^[-._a-zA-Z0-9]+$
  21064. type: string
  21065. name:
  21066. description: The name of the Secret resource being referred to.
  21067. maxLength: 253
  21068. minLength: 1
  21069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21070. type: string
  21071. namespace:
  21072. description: |-
  21073. The namespace of the Secret resource being referred to.
  21074. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21075. maxLength: 63
  21076. minLength: 1
  21077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21078. type: string
  21079. type: object
  21080. token:
  21081. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  21082. properties:
  21083. key:
  21084. description: |-
  21085. A key in the referenced Secret.
  21086. Some instances of this field may be defaulted, in others it may be required.
  21087. maxLength: 253
  21088. minLength: 1
  21089. pattern: ^[-._a-zA-Z0-9]+$
  21090. type: string
  21091. name:
  21092. description: The name of the Secret resource being referred to.
  21093. maxLength: 253
  21094. minLength: 1
  21095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21096. type: string
  21097. namespace:
  21098. description: |-
  21099. The namespace of the Secret resource being referred to.
  21100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21101. maxLength: 63
  21102. minLength: 1
  21103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21104. type: string
  21105. type: object
  21106. required:
  21107. - accessKeyID
  21108. - secretAccessKey
  21109. type: object
  21110. type: object
  21111. region:
  21112. description: Region specifies the Volcengine region to connect to.
  21113. type: string
  21114. required:
  21115. - region
  21116. type: object
  21117. webhook:
  21118. description: Webhook configures this store to sync secrets using a generic templated webhook
  21119. properties:
  21120. auth:
  21121. description: Auth specifies a authorization protocol. Only one protocol may be set.
  21122. maxProperties: 1
  21123. minProperties: 1
  21124. properties:
  21125. ntlm:
  21126. description: NTLMProtocol configures the store to use NTLM for auth
  21127. properties:
  21128. passwordSecret:
  21129. description: |-
  21130. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21131. In some instances, `key` is a required field.
  21132. properties:
  21133. key:
  21134. description: |-
  21135. A key in the referenced Secret.
  21136. Some instances of this field may be defaulted, in others it may be required.
  21137. maxLength: 253
  21138. minLength: 1
  21139. pattern: ^[-._a-zA-Z0-9]+$
  21140. type: string
  21141. name:
  21142. description: The name of the Secret resource being referred to.
  21143. maxLength: 253
  21144. minLength: 1
  21145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21146. type: string
  21147. namespace:
  21148. description: |-
  21149. The namespace of the Secret resource being referred to.
  21150. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21151. maxLength: 63
  21152. minLength: 1
  21153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21154. type: string
  21155. type: object
  21156. usernameSecret:
  21157. description: |-
  21158. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21159. In some instances, `key` is a required field.
  21160. properties:
  21161. key:
  21162. description: |-
  21163. A key in the referenced Secret.
  21164. Some instances of this field may be defaulted, in others it may be required.
  21165. maxLength: 253
  21166. minLength: 1
  21167. pattern: ^[-._a-zA-Z0-9]+$
  21168. type: string
  21169. name:
  21170. description: The name of the Secret resource being referred to.
  21171. maxLength: 253
  21172. minLength: 1
  21173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21174. type: string
  21175. namespace:
  21176. description: |-
  21177. The namespace of the Secret resource being referred to.
  21178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21179. maxLength: 63
  21180. minLength: 1
  21181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21182. type: string
  21183. type: object
  21184. required:
  21185. - passwordSecret
  21186. - usernameSecret
  21187. type: object
  21188. type: object
  21189. body:
  21190. description: Body
  21191. type: string
  21192. caBundle:
  21193. description: |-
  21194. PEM encoded CA bundle used to validate webhook server certificate. Only used
  21195. if the Server URL is using HTTPS protocol. This parameter is ignored for
  21196. plain HTTP protocol connection. If not set the system root certificates
  21197. are used to validate the TLS connection.
  21198. format: byte
  21199. type: string
  21200. caProvider:
  21201. description: The provider for the CA bundle to use to validate webhook server certificate.
  21202. properties:
  21203. key:
  21204. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21205. maxLength: 253
  21206. minLength: 1
  21207. pattern: ^[-._a-zA-Z0-9]+$
  21208. type: string
  21209. name:
  21210. description: The name of the object located at the provider type.
  21211. maxLength: 253
  21212. minLength: 1
  21213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21214. type: string
  21215. namespace:
  21216. description: The namespace the Provider type is in.
  21217. maxLength: 63
  21218. minLength: 1
  21219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21220. type: string
  21221. type:
  21222. description: The type of provider to use such as "Secret", or "ConfigMap".
  21223. enum:
  21224. - Secret
  21225. - ConfigMap
  21226. type: string
  21227. required:
  21228. - name
  21229. - type
  21230. type: object
  21231. headers:
  21232. additionalProperties:
  21233. type: string
  21234. description: Headers
  21235. type: object
  21236. method:
  21237. description: Webhook Method
  21238. type: string
  21239. result:
  21240. description: Result formatting
  21241. properties:
  21242. jsonPath:
  21243. description: Json path of return value
  21244. type: string
  21245. type: object
  21246. secrets:
  21247. description: |-
  21248. Secrets to fill in templates
  21249. These secrets will be passed to the templating function as key value pairs under the given name
  21250. items:
  21251. description: WebhookSecret defines a secret that will be passed to the webhook request.
  21252. properties:
  21253. name:
  21254. description: Name of this secret in templates
  21255. type: string
  21256. secretRef:
  21257. description: Secret ref to fill in credentials
  21258. properties:
  21259. key:
  21260. description: |-
  21261. A key in the referenced Secret.
  21262. Some instances of this field may be defaulted, in others it may be required.
  21263. maxLength: 253
  21264. minLength: 1
  21265. pattern: ^[-._a-zA-Z0-9]+$
  21266. type: string
  21267. name:
  21268. description: The name of the Secret resource being referred to.
  21269. maxLength: 253
  21270. minLength: 1
  21271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21272. type: string
  21273. namespace:
  21274. description: |-
  21275. The namespace of the Secret resource being referred to.
  21276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21277. maxLength: 63
  21278. minLength: 1
  21279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21280. type: string
  21281. type: object
  21282. required:
  21283. - name
  21284. - secretRef
  21285. type: object
  21286. type: array
  21287. timeout:
  21288. description: Timeout
  21289. type: string
  21290. url:
  21291. description: Webhook url to call
  21292. type: string
  21293. required:
  21294. - url
  21295. type: object
  21296. yandexcertificatemanager:
  21297. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  21298. properties:
  21299. apiEndpoint:
  21300. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21301. type: string
  21302. auth:
  21303. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21304. properties:
  21305. authorizedKeySecretRef:
  21306. description: The authorized key used for authentication
  21307. properties:
  21308. key:
  21309. description: |-
  21310. A key in the referenced Secret.
  21311. Some instances of this field may be defaulted, in others it may be required.
  21312. maxLength: 253
  21313. minLength: 1
  21314. pattern: ^[-._a-zA-Z0-9]+$
  21315. type: string
  21316. name:
  21317. description: The name of the Secret resource being referred to.
  21318. maxLength: 253
  21319. minLength: 1
  21320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21321. type: string
  21322. namespace:
  21323. description: |-
  21324. The namespace of the Secret resource being referred to.
  21325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21326. maxLength: 63
  21327. minLength: 1
  21328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21329. type: string
  21330. type: object
  21331. type: object
  21332. caProvider:
  21333. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21334. properties:
  21335. certSecretRef:
  21336. description: |-
  21337. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21338. In some instances, `key` is a required field.
  21339. properties:
  21340. key:
  21341. description: |-
  21342. A key in the referenced Secret.
  21343. Some instances of this field may be defaulted, in others it may be required.
  21344. maxLength: 253
  21345. minLength: 1
  21346. pattern: ^[-._a-zA-Z0-9]+$
  21347. type: string
  21348. name:
  21349. description: The name of the Secret resource being referred to.
  21350. maxLength: 253
  21351. minLength: 1
  21352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21353. type: string
  21354. namespace:
  21355. description: |-
  21356. The namespace of the Secret resource being referred to.
  21357. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21358. maxLength: 63
  21359. minLength: 1
  21360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21361. type: string
  21362. type: object
  21363. type: object
  21364. fetching:
  21365. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  21366. maxProperties: 1
  21367. minProperties: 1
  21368. properties:
  21369. byID:
  21370. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21371. type: object
  21372. byName:
  21373. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21374. properties:
  21375. folderID:
  21376. description: The folder to fetch secrets from
  21377. type: string
  21378. required:
  21379. - folderID
  21380. type: object
  21381. type: object
  21382. required:
  21383. - auth
  21384. type: object
  21385. yandexlockbox:
  21386. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  21387. properties:
  21388. apiEndpoint:
  21389. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21390. type: string
  21391. auth:
  21392. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21393. properties:
  21394. authorizedKeySecretRef:
  21395. description: The authorized key used for authentication
  21396. properties:
  21397. key:
  21398. description: |-
  21399. A key in the referenced Secret.
  21400. Some instances of this field may be defaulted, in others it may be required.
  21401. maxLength: 253
  21402. minLength: 1
  21403. pattern: ^[-._a-zA-Z0-9]+$
  21404. type: string
  21405. name:
  21406. description: The name of the Secret resource being referred to.
  21407. maxLength: 253
  21408. minLength: 1
  21409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21410. type: string
  21411. namespace:
  21412. description: |-
  21413. The namespace of the Secret resource being referred to.
  21414. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21415. maxLength: 63
  21416. minLength: 1
  21417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21418. type: string
  21419. type: object
  21420. type: object
  21421. caProvider:
  21422. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21423. properties:
  21424. certSecretRef:
  21425. description: |-
  21426. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21427. In some instances, `key` is a required field.
  21428. properties:
  21429. key:
  21430. description: |-
  21431. A key in the referenced Secret.
  21432. Some instances of this field may be defaulted, in others it may be required.
  21433. maxLength: 253
  21434. minLength: 1
  21435. pattern: ^[-._a-zA-Z0-9]+$
  21436. type: string
  21437. name:
  21438. description: The name of the Secret resource being referred to.
  21439. maxLength: 253
  21440. minLength: 1
  21441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21442. type: string
  21443. namespace:
  21444. description: |-
  21445. The namespace of the Secret resource being referred to.
  21446. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21447. maxLength: 63
  21448. minLength: 1
  21449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21450. type: string
  21451. type: object
  21452. type: object
  21453. fetching:
  21454. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  21455. maxProperties: 1
  21456. minProperties: 1
  21457. properties:
  21458. byID:
  21459. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21460. type: object
  21461. byName:
  21462. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21463. properties:
  21464. folderID:
  21465. description: The folder to fetch secrets from
  21466. type: string
  21467. required:
  21468. - folderID
  21469. type: object
  21470. type: object
  21471. required:
  21472. - auth
  21473. type: object
  21474. type: object
  21475. refreshInterval:
  21476. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  21477. type: integer
  21478. retrySettings:
  21479. description: Used to configure HTTP retries on failures.
  21480. properties:
  21481. maxRetries:
  21482. format: int32
  21483. type: integer
  21484. retryInterval:
  21485. type: string
  21486. type: object
  21487. required:
  21488. - provider
  21489. type: object
  21490. status:
  21491. description: SecretStoreStatus defines the observed state of the SecretStore.
  21492. properties:
  21493. capabilities:
  21494. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  21495. type: string
  21496. conditions:
  21497. items:
  21498. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  21499. properties:
  21500. lastTransitionTime:
  21501. format: date-time
  21502. type: string
  21503. message:
  21504. type: string
  21505. reason:
  21506. type: string
  21507. status:
  21508. type: string
  21509. type:
  21510. description: SecretStoreConditionType represents the condition of the SecretStore.
  21511. type: string
  21512. required:
  21513. - status
  21514. - type
  21515. type: object
  21516. type: array
  21517. type: object
  21518. type: object
  21519. served: true
  21520. storage: true
  21521. subresources:
  21522. status: {}
  21523. - additionalPrinterColumns:
  21524. - jsonPath: .metadata.creationTimestamp
  21525. name: AGE
  21526. type: date
  21527. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  21528. name: Status
  21529. type: string
  21530. - jsonPath: .status.capabilities
  21531. name: Capabilities
  21532. type: string
  21533. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  21534. name: Ready
  21535. type: string
  21536. deprecated: true
  21537. name: v1beta1
  21538. schema:
  21539. openAPIV3Schema:
  21540. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  21541. properties:
  21542. apiVersion:
  21543. description: |-
  21544. APIVersion defines the versioned schema of this representation of an object.
  21545. Servers should convert recognized schemas to the latest internal value, and
  21546. may reject unrecognized values.
  21547. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  21548. type: string
  21549. kind:
  21550. description: |-
  21551. Kind is a string value representing the REST resource this object represents.
  21552. Servers may infer this from the endpoint the client submits requests to.
  21553. Cannot be updated.
  21554. In CamelCase.
  21555. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  21556. type: string
  21557. metadata:
  21558. type: object
  21559. spec:
  21560. description: SecretStoreSpec defines the desired state of SecretStore.
  21561. properties:
  21562. conditions:
  21563. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  21564. items:
  21565. description: |-
  21566. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  21567. for a ClusterSecretStore instance.
  21568. properties:
  21569. namespaceRegexes:
  21570. description: Choose namespaces by using regex matching
  21571. items:
  21572. type: string
  21573. type: array
  21574. namespaceSelector:
  21575. description: Choose namespace using a labelSelector
  21576. properties:
  21577. matchExpressions:
  21578. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  21579. items:
  21580. description: |-
  21581. A label selector requirement is a selector that contains values, a key, and an operator that
  21582. relates the key and values.
  21583. properties:
  21584. key:
  21585. description: key is the label key that the selector applies to.
  21586. type: string
  21587. operator:
  21588. description: |-
  21589. operator represents a key's relationship to a set of values.
  21590. Valid operators are In, NotIn, Exists and DoesNotExist.
  21591. type: string
  21592. values:
  21593. description: |-
  21594. values is an array of string values. If the operator is In or NotIn,
  21595. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  21596. the values array must be empty. This array is replaced during a strategic
  21597. merge patch.
  21598. items:
  21599. type: string
  21600. type: array
  21601. x-kubernetes-list-type: atomic
  21602. required:
  21603. - key
  21604. - operator
  21605. type: object
  21606. type: array
  21607. x-kubernetes-list-type: atomic
  21608. matchLabels:
  21609. additionalProperties:
  21610. type: string
  21611. description: |-
  21612. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  21613. map is equivalent to an element of matchExpressions, whose key field is "key", the
  21614. operator is "In", and the values array contains only "value". The requirements are ANDed.
  21615. type: object
  21616. type: object
  21617. x-kubernetes-map-type: atomic
  21618. namespaces:
  21619. description: Choose namespaces by name
  21620. items:
  21621. maxLength: 63
  21622. minLength: 1
  21623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21624. type: string
  21625. type: array
  21626. type: object
  21627. type: array
  21628. controller:
  21629. description: |-
  21630. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21631. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  21632. type: string
  21633. provider:
  21634. description: Used to configure the provider. Only one provider may be set
  21635. maxProperties: 1
  21636. minProperties: 1
  21637. properties:
  21638. akeyless:
  21639. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  21640. properties:
  21641. akeylessGWApiURL:
  21642. description: Akeyless GW API Url from which the secrets to be fetched from.
  21643. type: string
  21644. authSecretRef:
  21645. description: Auth configures how the operator authenticates with Akeyless.
  21646. properties:
  21647. kubernetesAuth:
  21648. description: |-
  21649. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  21650. token stored in the named Secret resource.
  21651. properties:
  21652. accessID:
  21653. description: the Akeyless Kubernetes auth-method access-id
  21654. type: string
  21655. k8sConfName:
  21656. description: Kubernetes-auth configuration name in Akeyless-Gateway
  21657. type: string
  21658. secretRef:
  21659. description: |-
  21660. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21661. for authenticating with Akeyless. If a name is specified without a key,
  21662. `token` is the default. If one is not specified, the one bound to
  21663. the controller will be used.
  21664. properties:
  21665. key:
  21666. description: |-
  21667. A key in the referenced Secret.
  21668. Some instances of this field may be defaulted, in others it may be required.
  21669. maxLength: 253
  21670. minLength: 1
  21671. pattern: ^[-._a-zA-Z0-9]+$
  21672. type: string
  21673. name:
  21674. description: The name of the Secret resource being referred to.
  21675. maxLength: 253
  21676. minLength: 1
  21677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21678. type: string
  21679. namespace:
  21680. description: |-
  21681. The namespace of the Secret resource being referred to.
  21682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21683. maxLength: 63
  21684. minLength: 1
  21685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21686. type: string
  21687. type: object
  21688. serviceAccountRef:
  21689. description: |-
  21690. Optional service account field containing the name of a kubernetes ServiceAccount.
  21691. If the service account is specified, the service account secret token JWT will be used
  21692. for authenticating with Akeyless. If the service account selector is not supplied,
  21693. the secretRef will be used instead.
  21694. properties:
  21695. audiences:
  21696. description: |-
  21697. Audience specifies the `aud` claim for the service account token
  21698. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21699. then this audiences will be appended to the list
  21700. items:
  21701. type: string
  21702. type: array
  21703. name:
  21704. description: The name of the ServiceAccount resource being referred to.
  21705. maxLength: 253
  21706. minLength: 1
  21707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21708. type: string
  21709. namespace:
  21710. description: |-
  21711. Namespace of the resource being referred to.
  21712. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21713. maxLength: 63
  21714. minLength: 1
  21715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21716. type: string
  21717. required:
  21718. - name
  21719. type: object
  21720. required:
  21721. - accessID
  21722. - k8sConfName
  21723. type: object
  21724. secretRef:
  21725. description: |-
  21726. Reference to a Secret that contains the details
  21727. to authenticate with Akeyless.
  21728. properties:
  21729. accessID:
  21730. description: The SecretAccessID is used for authentication
  21731. properties:
  21732. key:
  21733. description: |-
  21734. A key in the referenced Secret.
  21735. Some instances of this field may be defaulted, in others it may be required.
  21736. maxLength: 253
  21737. minLength: 1
  21738. pattern: ^[-._a-zA-Z0-9]+$
  21739. type: string
  21740. name:
  21741. description: The name of the Secret resource being referred to.
  21742. maxLength: 253
  21743. minLength: 1
  21744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21745. type: string
  21746. namespace:
  21747. description: |-
  21748. The namespace of the Secret resource being referred to.
  21749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21750. maxLength: 63
  21751. minLength: 1
  21752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21753. type: string
  21754. type: object
  21755. accessType:
  21756. description: |-
  21757. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21758. In some instances, `key` is a required field.
  21759. properties:
  21760. key:
  21761. description: |-
  21762. A key in the referenced Secret.
  21763. Some instances of this field may be defaulted, in others it may be required.
  21764. maxLength: 253
  21765. minLength: 1
  21766. pattern: ^[-._a-zA-Z0-9]+$
  21767. type: string
  21768. name:
  21769. description: The name of the Secret resource being referred to.
  21770. maxLength: 253
  21771. minLength: 1
  21772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21773. type: string
  21774. namespace:
  21775. description: |-
  21776. The namespace of the Secret resource being referred to.
  21777. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21778. maxLength: 63
  21779. minLength: 1
  21780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21781. type: string
  21782. type: object
  21783. accessTypeParam:
  21784. description: |-
  21785. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21786. In some instances, `key` is a required field.
  21787. properties:
  21788. key:
  21789. description: |-
  21790. A key in the referenced Secret.
  21791. Some instances of this field may be defaulted, in others it may be required.
  21792. maxLength: 253
  21793. minLength: 1
  21794. pattern: ^[-._a-zA-Z0-9]+$
  21795. type: string
  21796. name:
  21797. description: The name of the Secret resource being referred to.
  21798. maxLength: 253
  21799. minLength: 1
  21800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21801. type: string
  21802. namespace:
  21803. description: |-
  21804. The namespace of the Secret resource being referred to.
  21805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21806. maxLength: 63
  21807. minLength: 1
  21808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21809. type: string
  21810. type: object
  21811. type: object
  21812. type: object
  21813. caBundle:
  21814. description: |-
  21815. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21816. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21817. are used to validate the TLS connection.
  21818. format: byte
  21819. type: string
  21820. caProvider:
  21821. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21822. properties:
  21823. key:
  21824. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21825. maxLength: 253
  21826. minLength: 1
  21827. pattern: ^[-._a-zA-Z0-9]+$
  21828. type: string
  21829. name:
  21830. description: The name of the object located at the provider type.
  21831. maxLength: 253
  21832. minLength: 1
  21833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21834. type: string
  21835. namespace:
  21836. description: |-
  21837. The namespace the Provider type is in.
  21838. Can only be defined when used in a ClusterSecretStore.
  21839. maxLength: 63
  21840. minLength: 1
  21841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21842. type: string
  21843. type:
  21844. description: The type of provider to use such as "Secret", or "ConfigMap".
  21845. enum:
  21846. - Secret
  21847. - ConfigMap
  21848. type: string
  21849. required:
  21850. - name
  21851. - type
  21852. type: object
  21853. required:
  21854. - akeylessGWApiURL
  21855. - authSecretRef
  21856. type: object
  21857. alibaba:
  21858. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21859. properties:
  21860. auth:
  21861. description: AlibabaAuth contains a secretRef for credentials.
  21862. properties:
  21863. rrsa:
  21864. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21865. properties:
  21866. oidcProviderArn:
  21867. type: string
  21868. oidcTokenFilePath:
  21869. type: string
  21870. roleArn:
  21871. type: string
  21872. sessionName:
  21873. type: string
  21874. required:
  21875. - oidcProviderArn
  21876. - oidcTokenFilePath
  21877. - roleArn
  21878. - sessionName
  21879. type: object
  21880. secretRef:
  21881. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21882. properties:
  21883. accessKeyIDSecretRef:
  21884. description: The AccessKeyID is used for authentication
  21885. properties:
  21886. key:
  21887. description: |-
  21888. A key in the referenced Secret.
  21889. Some instances of this field may be defaulted, in others it may be required.
  21890. maxLength: 253
  21891. minLength: 1
  21892. pattern: ^[-._a-zA-Z0-9]+$
  21893. type: string
  21894. name:
  21895. description: The name of the Secret resource being referred to.
  21896. maxLength: 253
  21897. minLength: 1
  21898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21899. type: string
  21900. namespace:
  21901. description: |-
  21902. The namespace of the Secret resource being referred to.
  21903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21904. maxLength: 63
  21905. minLength: 1
  21906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21907. type: string
  21908. type: object
  21909. accessKeySecretSecretRef:
  21910. description: The AccessKeySecret is used for authentication
  21911. properties:
  21912. key:
  21913. description: |-
  21914. A key in the referenced Secret.
  21915. Some instances of this field may be defaulted, in others it may be required.
  21916. maxLength: 253
  21917. minLength: 1
  21918. pattern: ^[-._a-zA-Z0-9]+$
  21919. type: string
  21920. name:
  21921. description: The name of the Secret resource being referred to.
  21922. maxLength: 253
  21923. minLength: 1
  21924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21925. type: string
  21926. namespace:
  21927. description: |-
  21928. The namespace of the Secret resource being referred to.
  21929. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21930. maxLength: 63
  21931. minLength: 1
  21932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21933. type: string
  21934. type: object
  21935. required:
  21936. - accessKeyIDSecretRef
  21937. - accessKeySecretSecretRef
  21938. type: object
  21939. type: object
  21940. regionID:
  21941. description: Alibaba Region to be used for the provider
  21942. type: string
  21943. required:
  21944. - auth
  21945. - regionID
  21946. type: object
  21947. aws:
  21948. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  21949. properties:
  21950. additionalRoles:
  21951. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  21952. items:
  21953. type: string
  21954. type: array
  21955. auth:
  21956. description: |-
  21957. Auth defines the information necessary to authenticate against AWS
  21958. if not set aws sdk will infer credentials from your environment
  21959. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  21960. properties:
  21961. jwt:
  21962. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  21963. properties:
  21964. serviceAccountRef:
  21965. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  21966. properties:
  21967. audiences:
  21968. description: |-
  21969. Audience specifies the `aud` claim for the service account token
  21970. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21971. then this audiences will be appended to the list
  21972. items:
  21973. type: string
  21974. type: array
  21975. name:
  21976. description: The name of the ServiceAccount resource being referred to.
  21977. maxLength: 253
  21978. minLength: 1
  21979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21980. type: string
  21981. namespace:
  21982. description: |-
  21983. Namespace of the resource being referred to.
  21984. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21985. maxLength: 63
  21986. minLength: 1
  21987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21988. type: string
  21989. required:
  21990. - name
  21991. type: object
  21992. type: object
  21993. secretRef:
  21994. description: |-
  21995. AWSAuthSecretRef holds secret references for AWS credentials
  21996. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  21997. properties:
  21998. accessKeyIDSecretRef:
  21999. description: The AccessKeyID is used for authentication
  22000. properties:
  22001. key:
  22002. description: |-
  22003. A key in the referenced Secret.
  22004. Some instances of this field may be defaulted, in others it may be required.
  22005. maxLength: 253
  22006. minLength: 1
  22007. pattern: ^[-._a-zA-Z0-9]+$
  22008. type: string
  22009. name:
  22010. description: The name of the Secret resource being referred to.
  22011. maxLength: 253
  22012. minLength: 1
  22013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22014. type: string
  22015. namespace:
  22016. description: |-
  22017. The namespace of the Secret resource being referred to.
  22018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22019. maxLength: 63
  22020. minLength: 1
  22021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22022. type: string
  22023. type: object
  22024. secretAccessKeySecretRef:
  22025. description: The SecretAccessKey is used for authentication
  22026. properties:
  22027. key:
  22028. description: |-
  22029. A key in the referenced Secret.
  22030. Some instances of this field may be defaulted, in others it may be required.
  22031. maxLength: 253
  22032. minLength: 1
  22033. pattern: ^[-._a-zA-Z0-9]+$
  22034. type: string
  22035. name:
  22036. description: The name of the Secret resource being referred to.
  22037. maxLength: 253
  22038. minLength: 1
  22039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22040. type: string
  22041. namespace:
  22042. description: |-
  22043. The namespace of the Secret resource being referred to.
  22044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22045. maxLength: 63
  22046. minLength: 1
  22047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22048. type: string
  22049. type: object
  22050. sessionTokenSecretRef:
  22051. description: |-
  22052. The SessionToken used for authentication
  22053. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  22054. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  22055. properties:
  22056. key:
  22057. description: |-
  22058. A key in the referenced Secret.
  22059. Some instances of this field may be defaulted, in others it may be required.
  22060. maxLength: 253
  22061. minLength: 1
  22062. pattern: ^[-._a-zA-Z0-9]+$
  22063. type: string
  22064. name:
  22065. description: The name of the Secret resource being referred to.
  22066. maxLength: 253
  22067. minLength: 1
  22068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22069. type: string
  22070. namespace:
  22071. description: |-
  22072. The namespace of the Secret resource being referred to.
  22073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22074. maxLength: 63
  22075. minLength: 1
  22076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22077. type: string
  22078. type: object
  22079. type: object
  22080. type: object
  22081. externalID:
  22082. description: AWS External ID set on assumed IAM roles
  22083. type: string
  22084. prefix:
  22085. description: Prefix adds a prefix to all retrieved values.
  22086. type: string
  22087. region:
  22088. description: AWS Region to be used for the provider
  22089. type: string
  22090. role:
  22091. description: Role is a Role ARN which the provider will assume
  22092. type: string
  22093. secretsManager:
  22094. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  22095. properties:
  22096. forceDeleteWithoutRecovery:
  22097. description: |-
  22098. Specifies whether to delete the secret without any recovery window. You
  22099. can't use both this parameter and RecoveryWindowInDays in the same call.
  22100. If you don't use either, then by default Secrets Manager uses a 30 day
  22101. recovery window.
  22102. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  22103. type: boolean
  22104. recoveryWindowInDays:
  22105. description: |-
  22106. The number of days from 7 to 30 that Secrets Manager waits before
  22107. permanently deleting the secret. You can't use both this parameter and
  22108. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  22109. then by default Secrets Manager uses a 30 day recovery window.
  22110. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  22111. format: int64
  22112. type: integer
  22113. type: object
  22114. service:
  22115. description: Service defines which service should be used to fetch the secrets
  22116. enum:
  22117. - SecretsManager
  22118. - ParameterStore
  22119. type: string
  22120. sessionTags:
  22121. description: AWS STS assume role session tags
  22122. items:
  22123. description: Tag defines a tag key and value for AWS resources.
  22124. properties:
  22125. key:
  22126. type: string
  22127. value:
  22128. type: string
  22129. required:
  22130. - key
  22131. - value
  22132. type: object
  22133. type: array
  22134. transitiveTagKeys:
  22135. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  22136. items:
  22137. type: string
  22138. type: array
  22139. required:
  22140. - region
  22141. - service
  22142. type: object
  22143. azurekv:
  22144. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  22145. properties:
  22146. authSecretRef:
  22147. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22148. properties:
  22149. clientCertificate:
  22150. description: The Azure ClientCertificate of the service principle used for authentication.
  22151. properties:
  22152. key:
  22153. description: |-
  22154. A key in the referenced Secret.
  22155. Some instances of this field may be defaulted, in others it may be required.
  22156. maxLength: 253
  22157. minLength: 1
  22158. pattern: ^[-._a-zA-Z0-9]+$
  22159. type: string
  22160. name:
  22161. description: The name of the Secret resource being referred to.
  22162. maxLength: 253
  22163. minLength: 1
  22164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22165. type: string
  22166. namespace:
  22167. description: |-
  22168. The namespace of the Secret resource being referred to.
  22169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22170. maxLength: 63
  22171. minLength: 1
  22172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22173. type: string
  22174. type: object
  22175. clientId:
  22176. description: The Azure clientId of the service principle or managed identity used for authentication.
  22177. properties:
  22178. key:
  22179. description: |-
  22180. A key in the referenced Secret.
  22181. Some instances of this field may be defaulted, in others it may be required.
  22182. maxLength: 253
  22183. minLength: 1
  22184. pattern: ^[-._a-zA-Z0-9]+$
  22185. type: string
  22186. name:
  22187. description: The name of the Secret resource being referred to.
  22188. maxLength: 253
  22189. minLength: 1
  22190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22191. type: string
  22192. namespace:
  22193. description: |-
  22194. The namespace of the Secret resource being referred to.
  22195. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22196. maxLength: 63
  22197. minLength: 1
  22198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22199. type: string
  22200. type: object
  22201. clientSecret:
  22202. description: The Azure ClientSecret of the service principle used for authentication.
  22203. properties:
  22204. key:
  22205. description: |-
  22206. A key in the referenced Secret.
  22207. Some instances of this field may be defaulted, in others it may be required.
  22208. maxLength: 253
  22209. minLength: 1
  22210. pattern: ^[-._a-zA-Z0-9]+$
  22211. type: string
  22212. name:
  22213. description: The name of the Secret resource being referred to.
  22214. maxLength: 253
  22215. minLength: 1
  22216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22217. type: string
  22218. namespace:
  22219. description: |-
  22220. The namespace of the Secret resource being referred to.
  22221. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22222. maxLength: 63
  22223. minLength: 1
  22224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22225. type: string
  22226. type: object
  22227. tenantId:
  22228. description: The Azure tenantId of the managed identity used for authentication.
  22229. properties:
  22230. key:
  22231. description: |-
  22232. A key in the referenced Secret.
  22233. Some instances of this field may be defaulted, in others it may be required.
  22234. maxLength: 253
  22235. minLength: 1
  22236. pattern: ^[-._a-zA-Z0-9]+$
  22237. type: string
  22238. name:
  22239. description: The name of the Secret resource being referred to.
  22240. maxLength: 253
  22241. minLength: 1
  22242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22243. type: string
  22244. namespace:
  22245. description: |-
  22246. The namespace of the Secret resource being referred to.
  22247. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22248. maxLength: 63
  22249. minLength: 1
  22250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22251. type: string
  22252. type: object
  22253. type: object
  22254. authType:
  22255. default: ServicePrincipal
  22256. description: |-
  22257. Auth type defines how to authenticate to the keyvault service.
  22258. Valid values are:
  22259. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  22260. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  22261. enum:
  22262. - ServicePrincipal
  22263. - ManagedIdentity
  22264. - WorkloadIdentity
  22265. type: string
  22266. environmentType:
  22267. default: PublicCloud
  22268. description: |-
  22269. EnvironmentType specifies the Azure cloud environment endpoints to use for
  22270. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  22271. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  22272. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  22273. enum:
  22274. - PublicCloud
  22275. - USGovernmentCloud
  22276. - ChinaCloud
  22277. - GermanCloud
  22278. type: string
  22279. identityId:
  22280. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  22281. type: string
  22282. serviceAccountRef:
  22283. description: |-
  22284. ServiceAccountRef specified the service account
  22285. that should be used when authenticating with WorkloadIdentity.
  22286. properties:
  22287. audiences:
  22288. description: |-
  22289. Audience specifies the `aud` claim for the service account token
  22290. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22291. then this audiences will be appended to the list
  22292. items:
  22293. type: string
  22294. type: array
  22295. name:
  22296. description: The name of the ServiceAccount resource being referred to.
  22297. maxLength: 253
  22298. minLength: 1
  22299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22300. type: string
  22301. namespace:
  22302. description: |-
  22303. Namespace of the resource being referred to.
  22304. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22305. maxLength: 63
  22306. minLength: 1
  22307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22308. type: string
  22309. required:
  22310. - name
  22311. type: object
  22312. tenantId:
  22313. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22314. type: string
  22315. vaultUrl:
  22316. description: Vault Url from which the secrets to be fetched from.
  22317. type: string
  22318. required:
  22319. - vaultUrl
  22320. type: object
  22321. beyondtrust:
  22322. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  22323. properties:
  22324. auth:
  22325. description: Auth configures how the operator authenticates with Beyondtrust.
  22326. properties:
  22327. apiKey:
  22328. description: APIKey If not provided then ClientID/ClientSecret become required.
  22329. properties:
  22330. secretRef:
  22331. description: SecretRef references a key in a secret that will be used as value.
  22332. properties:
  22333. key:
  22334. description: |-
  22335. A key in the referenced Secret.
  22336. Some instances of this field may be defaulted, in others it may be required.
  22337. maxLength: 253
  22338. minLength: 1
  22339. pattern: ^[-._a-zA-Z0-9]+$
  22340. type: string
  22341. name:
  22342. description: The name of the Secret resource being referred to.
  22343. maxLength: 253
  22344. minLength: 1
  22345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22346. type: string
  22347. namespace:
  22348. description: |-
  22349. The namespace of the Secret resource being referred to.
  22350. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22351. maxLength: 63
  22352. minLength: 1
  22353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22354. type: string
  22355. type: object
  22356. value:
  22357. description: Value can be specified directly to set a value without using a secret.
  22358. type: string
  22359. type: object
  22360. certificate:
  22361. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  22362. properties:
  22363. secretRef:
  22364. description: SecretRef references a key in a secret that will be used as value.
  22365. properties:
  22366. key:
  22367. description: |-
  22368. A key in the referenced Secret.
  22369. Some instances of this field may be defaulted, in others it may be required.
  22370. maxLength: 253
  22371. minLength: 1
  22372. pattern: ^[-._a-zA-Z0-9]+$
  22373. type: string
  22374. name:
  22375. description: The name of the Secret resource being referred to.
  22376. maxLength: 253
  22377. minLength: 1
  22378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22379. type: string
  22380. namespace:
  22381. description: |-
  22382. The namespace of the Secret resource being referred to.
  22383. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22384. maxLength: 63
  22385. minLength: 1
  22386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22387. type: string
  22388. type: object
  22389. value:
  22390. description: Value can be specified directly to set a value without using a secret.
  22391. type: string
  22392. type: object
  22393. certificateKey:
  22394. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  22395. properties:
  22396. secretRef:
  22397. description: SecretRef references a key in a secret that will be used as value.
  22398. properties:
  22399. key:
  22400. description: |-
  22401. A key in the referenced Secret.
  22402. Some instances of this field may be defaulted, in others it may be required.
  22403. maxLength: 253
  22404. minLength: 1
  22405. pattern: ^[-._a-zA-Z0-9]+$
  22406. type: string
  22407. name:
  22408. description: The name of the Secret resource being referred to.
  22409. maxLength: 253
  22410. minLength: 1
  22411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22412. type: string
  22413. namespace:
  22414. description: |-
  22415. The namespace of the Secret resource being referred to.
  22416. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22417. maxLength: 63
  22418. minLength: 1
  22419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22420. type: string
  22421. type: object
  22422. value:
  22423. description: Value can be specified directly to set a value without using a secret.
  22424. type: string
  22425. type: object
  22426. clientId:
  22427. description: ClientID is the API OAuth Client ID.
  22428. properties:
  22429. secretRef:
  22430. description: SecretRef references a key in a secret that will be used as value.
  22431. properties:
  22432. key:
  22433. description: |-
  22434. A key in the referenced Secret.
  22435. Some instances of this field may be defaulted, in others it may be required.
  22436. maxLength: 253
  22437. minLength: 1
  22438. pattern: ^[-._a-zA-Z0-9]+$
  22439. type: string
  22440. name:
  22441. description: The name of the Secret resource being referred to.
  22442. maxLength: 253
  22443. minLength: 1
  22444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22445. type: string
  22446. namespace:
  22447. description: |-
  22448. The namespace of the Secret resource being referred to.
  22449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22450. maxLength: 63
  22451. minLength: 1
  22452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22453. type: string
  22454. type: object
  22455. value:
  22456. description: Value can be specified directly to set a value without using a secret.
  22457. type: string
  22458. type: object
  22459. clientSecret:
  22460. description: ClientSecret is the API OAuth Client Secret.
  22461. properties:
  22462. secretRef:
  22463. description: SecretRef references a key in a secret that will be used as value.
  22464. properties:
  22465. key:
  22466. description: |-
  22467. A key in the referenced Secret.
  22468. Some instances of this field may be defaulted, in others it may be required.
  22469. maxLength: 253
  22470. minLength: 1
  22471. pattern: ^[-._a-zA-Z0-9]+$
  22472. type: string
  22473. name:
  22474. description: The name of the Secret resource being referred to.
  22475. maxLength: 253
  22476. minLength: 1
  22477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22478. type: string
  22479. namespace:
  22480. description: |-
  22481. The namespace of the Secret resource being referred to.
  22482. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22483. maxLength: 63
  22484. minLength: 1
  22485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22486. type: string
  22487. type: object
  22488. value:
  22489. description: Value can be specified directly to set a value without using a secret.
  22490. type: string
  22491. type: object
  22492. type: object
  22493. server:
  22494. description: Auth configures how API server works.
  22495. properties:
  22496. apiUrl:
  22497. type: string
  22498. apiVersion:
  22499. type: string
  22500. clientTimeOutSeconds:
  22501. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  22502. type: integer
  22503. decrypt:
  22504. default: true
  22505. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  22506. type: boolean
  22507. retrievalType:
  22508. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  22509. type: string
  22510. separator:
  22511. description: A character that separates the folder names.
  22512. type: string
  22513. verifyCA:
  22514. type: boolean
  22515. required:
  22516. - apiUrl
  22517. - verifyCA
  22518. type: object
  22519. required:
  22520. - auth
  22521. - server
  22522. type: object
  22523. bitwardensecretsmanager:
  22524. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  22525. properties:
  22526. apiURL:
  22527. type: string
  22528. auth:
  22529. description: |-
  22530. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  22531. Make sure that the token being used has permissions on the given secret.
  22532. properties:
  22533. secretRef:
  22534. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  22535. properties:
  22536. credentials:
  22537. description: AccessToken used for the bitwarden instance.
  22538. properties:
  22539. key:
  22540. description: |-
  22541. A key in the referenced Secret.
  22542. Some instances of this field may be defaulted, in others it may be required.
  22543. maxLength: 253
  22544. minLength: 1
  22545. pattern: ^[-._a-zA-Z0-9]+$
  22546. type: string
  22547. name:
  22548. description: The name of the Secret resource being referred to.
  22549. maxLength: 253
  22550. minLength: 1
  22551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22552. type: string
  22553. namespace:
  22554. description: |-
  22555. The namespace of the Secret resource being referred to.
  22556. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22557. maxLength: 63
  22558. minLength: 1
  22559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22560. type: string
  22561. type: object
  22562. required:
  22563. - credentials
  22564. type: object
  22565. required:
  22566. - secretRef
  22567. type: object
  22568. bitwardenServerSDKURL:
  22569. type: string
  22570. caBundle:
  22571. description: |-
  22572. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22573. can be performed.
  22574. type: string
  22575. caProvider:
  22576. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22577. properties:
  22578. key:
  22579. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22580. maxLength: 253
  22581. minLength: 1
  22582. pattern: ^[-._a-zA-Z0-9]+$
  22583. type: string
  22584. name:
  22585. description: The name of the object located at the provider type.
  22586. maxLength: 253
  22587. minLength: 1
  22588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22589. type: string
  22590. namespace:
  22591. description: |-
  22592. The namespace the Provider type is in.
  22593. Can only be defined when used in a ClusterSecretStore.
  22594. maxLength: 63
  22595. minLength: 1
  22596. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22597. type: string
  22598. type:
  22599. description: The type of provider to use such as "Secret", or "ConfigMap".
  22600. enum:
  22601. - Secret
  22602. - ConfigMap
  22603. type: string
  22604. required:
  22605. - name
  22606. - type
  22607. type: object
  22608. identityURL:
  22609. type: string
  22610. organizationID:
  22611. description: OrganizationID determines which organization this secret store manages.
  22612. type: string
  22613. projectID:
  22614. description: ProjectID determines which project this secret store manages.
  22615. type: string
  22616. required:
  22617. - auth
  22618. - organizationID
  22619. - projectID
  22620. type: object
  22621. chef:
  22622. description: Chef configures this store to sync secrets with chef server
  22623. properties:
  22624. auth:
  22625. description: Auth defines the information necessary to authenticate against chef Server
  22626. properties:
  22627. secretRef:
  22628. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  22629. properties:
  22630. privateKeySecretRef:
  22631. description: SecretKey is the Signing Key in PEM format, used for authentication.
  22632. properties:
  22633. key:
  22634. description: |-
  22635. A key in the referenced Secret.
  22636. Some instances of this field may be defaulted, in others it may be required.
  22637. maxLength: 253
  22638. minLength: 1
  22639. pattern: ^[-._a-zA-Z0-9]+$
  22640. type: string
  22641. name:
  22642. description: The name of the Secret resource being referred to.
  22643. maxLength: 253
  22644. minLength: 1
  22645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22646. type: string
  22647. namespace:
  22648. description: |-
  22649. The namespace of the Secret resource being referred to.
  22650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22651. maxLength: 63
  22652. minLength: 1
  22653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22654. type: string
  22655. type: object
  22656. required:
  22657. - privateKeySecretRef
  22658. type: object
  22659. required:
  22660. - secretRef
  22661. type: object
  22662. serverUrl:
  22663. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  22664. type: string
  22665. username:
  22666. description: UserName should be the user ID on the chef server
  22667. type: string
  22668. required:
  22669. - auth
  22670. - serverUrl
  22671. - username
  22672. type: object
  22673. cloudrusm:
  22674. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  22675. properties:
  22676. auth:
  22677. description: CSMAuth contains a secretRef for credentials.
  22678. properties:
  22679. secretRef:
  22680. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  22681. properties:
  22682. accessKeyIDSecretRef:
  22683. description: The AccessKeyID is used for authentication
  22684. properties:
  22685. key:
  22686. description: |-
  22687. A key in the referenced Secret.
  22688. Some instances of this field may be defaulted, in others it may be required.
  22689. maxLength: 253
  22690. minLength: 1
  22691. pattern: ^[-._a-zA-Z0-9]+$
  22692. type: string
  22693. name:
  22694. description: The name of the Secret resource being referred to.
  22695. maxLength: 253
  22696. minLength: 1
  22697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22698. type: string
  22699. namespace:
  22700. description: |-
  22701. The namespace of the Secret resource being referred to.
  22702. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22703. maxLength: 63
  22704. minLength: 1
  22705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22706. type: string
  22707. type: object
  22708. accessKeySecretSecretRef:
  22709. description: The AccessKeySecret is used for authentication
  22710. properties:
  22711. key:
  22712. description: |-
  22713. A key in the referenced Secret.
  22714. Some instances of this field may be defaulted, in others it may be required.
  22715. maxLength: 253
  22716. minLength: 1
  22717. pattern: ^[-._a-zA-Z0-9]+$
  22718. type: string
  22719. name:
  22720. description: The name of the Secret resource being referred to.
  22721. maxLength: 253
  22722. minLength: 1
  22723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22724. type: string
  22725. namespace:
  22726. description: |-
  22727. The namespace of the Secret resource being referred to.
  22728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22729. maxLength: 63
  22730. minLength: 1
  22731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22732. type: string
  22733. type: object
  22734. required:
  22735. - accessKeyIDSecretRef
  22736. - accessKeySecretSecretRef
  22737. type: object
  22738. type: object
  22739. projectID:
  22740. description: ProjectID is the project, which the secrets are stored in.
  22741. type: string
  22742. required:
  22743. - auth
  22744. type: object
  22745. conjur:
  22746. description: Conjur configures this store to sync secrets using conjur provider
  22747. properties:
  22748. auth:
  22749. description: Defines authentication settings for connecting to Conjur.
  22750. properties:
  22751. apikey:
  22752. description: Authenticates with Conjur using an API key.
  22753. properties:
  22754. account:
  22755. description: Account is the Conjur organization account name.
  22756. type: string
  22757. apiKeyRef:
  22758. description: |-
  22759. A reference to a specific 'key' containing the Conjur API key
  22760. within a Secret resource. In some instances, `key` is a required field.
  22761. properties:
  22762. key:
  22763. description: |-
  22764. A key in the referenced Secret.
  22765. Some instances of this field may be defaulted, in others it may be required.
  22766. maxLength: 253
  22767. minLength: 1
  22768. pattern: ^[-._a-zA-Z0-9]+$
  22769. type: string
  22770. name:
  22771. description: The name of the Secret resource being referred to.
  22772. maxLength: 253
  22773. minLength: 1
  22774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22775. type: string
  22776. namespace:
  22777. description: |-
  22778. The namespace of the Secret resource being referred to.
  22779. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22780. maxLength: 63
  22781. minLength: 1
  22782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22783. type: string
  22784. type: object
  22785. userRef:
  22786. description: |-
  22787. A reference to a specific 'key' containing the Conjur username
  22788. within a Secret resource. In some instances, `key` is a required field.
  22789. properties:
  22790. key:
  22791. description: |-
  22792. A key in the referenced Secret.
  22793. Some instances of this field may be defaulted, in others it may be required.
  22794. maxLength: 253
  22795. minLength: 1
  22796. pattern: ^[-._a-zA-Z0-9]+$
  22797. type: string
  22798. name:
  22799. description: The name of the Secret resource being referred to.
  22800. maxLength: 253
  22801. minLength: 1
  22802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22803. type: string
  22804. namespace:
  22805. description: |-
  22806. The namespace of the Secret resource being referred to.
  22807. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22808. maxLength: 63
  22809. minLength: 1
  22810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22811. type: string
  22812. type: object
  22813. required:
  22814. - account
  22815. - apiKeyRef
  22816. - userRef
  22817. type: object
  22818. jwt:
  22819. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22820. properties:
  22821. account:
  22822. description: Account is the Conjur organization account name.
  22823. type: string
  22824. hostId:
  22825. description: |-
  22826. Optional HostID for JWT authentication. This may be used depending
  22827. on how the Conjur JWT authenticator policy is configured.
  22828. type: string
  22829. secretRef:
  22830. description: |-
  22831. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22832. authenticate with Conjur using the JWT authentication method.
  22833. properties:
  22834. key:
  22835. description: |-
  22836. A key in the referenced Secret.
  22837. Some instances of this field may be defaulted, in others it may be required.
  22838. maxLength: 253
  22839. minLength: 1
  22840. pattern: ^[-._a-zA-Z0-9]+$
  22841. type: string
  22842. name:
  22843. description: The name of the Secret resource being referred to.
  22844. maxLength: 253
  22845. minLength: 1
  22846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22847. type: string
  22848. namespace:
  22849. description: |-
  22850. The namespace of the Secret resource being referred to.
  22851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22852. maxLength: 63
  22853. minLength: 1
  22854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22855. type: string
  22856. type: object
  22857. serviceAccountRef:
  22858. description: |-
  22859. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22860. a token for with the `TokenRequest` API.
  22861. properties:
  22862. audiences:
  22863. description: |-
  22864. Audience specifies the `aud` claim for the service account token
  22865. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22866. then this audiences will be appended to the list
  22867. items:
  22868. type: string
  22869. type: array
  22870. name:
  22871. description: The name of the ServiceAccount resource being referred to.
  22872. maxLength: 253
  22873. minLength: 1
  22874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22875. type: string
  22876. namespace:
  22877. description: |-
  22878. Namespace of the resource being referred to.
  22879. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22880. maxLength: 63
  22881. minLength: 1
  22882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22883. type: string
  22884. required:
  22885. - name
  22886. type: object
  22887. serviceID:
  22888. description: The conjur authn jwt webservice id
  22889. type: string
  22890. required:
  22891. - account
  22892. - serviceID
  22893. type: object
  22894. type: object
  22895. caBundle:
  22896. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22897. type: string
  22898. caProvider:
  22899. description: |-
  22900. Used to provide custom certificate authority (CA) certificates
  22901. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22902. that contains a PEM-encoded certificate.
  22903. properties:
  22904. key:
  22905. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22906. maxLength: 253
  22907. minLength: 1
  22908. pattern: ^[-._a-zA-Z0-9]+$
  22909. type: string
  22910. name:
  22911. description: The name of the object located at the provider type.
  22912. maxLength: 253
  22913. minLength: 1
  22914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22915. type: string
  22916. namespace:
  22917. description: |-
  22918. The namespace the Provider type is in.
  22919. Can only be defined when used in a ClusterSecretStore.
  22920. maxLength: 63
  22921. minLength: 1
  22922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22923. type: string
  22924. type:
  22925. description: The type of provider to use such as "Secret", or "ConfigMap".
  22926. enum:
  22927. - Secret
  22928. - ConfigMap
  22929. type: string
  22930. required:
  22931. - name
  22932. - type
  22933. type: object
  22934. url:
  22935. description: URL is the endpoint of the Conjur instance.
  22936. type: string
  22937. required:
  22938. - auth
  22939. - url
  22940. type: object
  22941. delinea:
  22942. description: |-
  22943. Delinea DevOps Secrets Vault
  22944. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  22945. properties:
  22946. clientId:
  22947. description: ClientID is the non-secret part of the credential.
  22948. properties:
  22949. secretRef:
  22950. description: SecretRef references a key in a secret that will be used as value.
  22951. properties:
  22952. key:
  22953. description: |-
  22954. A key in the referenced Secret.
  22955. Some instances of this field may be defaulted, in others it may be required.
  22956. maxLength: 253
  22957. minLength: 1
  22958. pattern: ^[-._a-zA-Z0-9]+$
  22959. type: string
  22960. name:
  22961. description: The name of the Secret resource being referred to.
  22962. maxLength: 253
  22963. minLength: 1
  22964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22965. type: string
  22966. namespace:
  22967. description: |-
  22968. The namespace of the Secret resource being referred to.
  22969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22970. maxLength: 63
  22971. minLength: 1
  22972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22973. type: string
  22974. type: object
  22975. value:
  22976. description: Value can be specified directly to set a value without using a secret.
  22977. type: string
  22978. type: object
  22979. clientSecret:
  22980. description: ClientSecret is the secret part of the credential.
  22981. properties:
  22982. secretRef:
  22983. description: SecretRef references a key in a secret that will be used as value.
  22984. properties:
  22985. key:
  22986. description: |-
  22987. A key in the referenced Secret.
  22988. Some instances of this field may be defaulted, in others it may be required.
  22989. maxLength: 253
  22990. minLength: 1
  22991. pattern: ^[-._a-zA-Z0-9]+$
  22992. type: string
  22993. name:
  22994. description: The name of the Secret resource being referred to.
  22995. maxLength: 253
  22996. minLength: 1
  22997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22998. type: string
  22999. namespace:
  23000. description: |-
  23001. The namespace of the Secret resource being referred to.
  23002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23003. maxLength: 63
  23004. minLength: 1
  23005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23006. type: string
  23007. type: object
  23008. value:
  23009. description: Value can be specified directly to set a value without using a secret.
  23010. type: string
  23011. type: object
  23012. tenant:
  23013. description: Tenant is the chosen hostname / site name.
  23014. type: string
  23015. tld:
  23016. description: |-
  23017. TLD is based on the server location that was chosen during provisioning.
  23018. If unset, defaults to "com".
  23019. type: string
  23020. urlTemplate:
  23021. description: |-
  23022. URLTemplate
  23023. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  23024. type: string
  23025. required:
  23026. - clientId
  23027. - clientSecret
  23028. - tenant
  23029. type: object
  23030. device42:
  23031. description: Device42 configures this store to sync secrets using the Device42 provider
  23032. properties:
  23033. auth:
  23034. description: Auth configures how secret-manager authenticates with a Device42 instance.
  23035. properties:
  23036. secretRef:
  23037. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  23038. properties:
  23039. credentials:
  23040. description: Username / Password is used for authentication.
  23041. properties:
  23042. key:
  23043. description: |-
  23044. A key in the referenced Secret.
  23045. Some instances of this field may be defaulted, in others it may be required.
  23046. maxLength: 253
  23047. minLength: 1
  23048. pattern: ^[-._a-zA-Z0-9]+$
  23049. type: string
  23050. name:
  23051. description: The name of the Secret resource being referred to.
  23052. maxLength: 253
  23053. minLength: 1
  23054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23055. type: string
  23056. namespace:
  23057. description: |-
  23058. The namespace of the Secret resource being referred to.
  23059. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23060. maxLength: 63
  23061. minLength: 1
  23062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23063. type: string
  23064. type: object
  23065. type: object
  23066. required:
  23067. - secretRef
  23068. type: object
  23069. host:
  23070. description: URL configures the Device42 instance URL.
  23071. type: string
  23072. required:
  23073. - auth
  23074. - host
  23075. type: object
  23076. doppler:
  23077. description: Doppler configures this store to sync secrets using the Doppler provider
  23078. properties:
  23079. auth:
  23080. description: Auth configures how the Operator authenticates with the Doppler API
  23081. properties:
  23082. secretRef:
  23083. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  23084. properties:
  23085. dopplerToken:
  23086. description: |-
  23087. The DopplerToken is used for authentication.
  23088. See https://docs.doppler.com/reference/api#authentication for auth token types.
  23089. The Key attribute defaults to dopplerToken if not specified.
  23090. properties:
  23091. key:
  23092. description: |-
  23093. A key in the referenced Secret.
  23094. Some instances of this field may be defaulted, in others it may be required.
  23095. maxLength: 253
  23096. minLength: 1
  23097. pattern: ^[-._a-zA-Z0-9]+$
  23098. type: string
  23099. name:
  23100. description: The name of the Secret resource being referred to.
  23101. maxLength: 253
  23102. minLength: 1
  23103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23104. type: string
  23105. namespace:
  23106. description: |-
  23107. The namespace of the Secret resource being referred to.
  23108. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23109. maxLength: 63
  23110. minLength: 1
  23111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23112. type: string
  23113. type: object
  23114. required:
  23115. - dopplerToken
  23116. type: object
  23117. required:
  23118. - secretRef
  23119. type: object
  23120. config:
  23121. description: Doppler config (required if not using a Service Token)
  23122. type: string
  23123. format:
  23124. description: Format enables the downloading of secrets as a file (string)
  23125. enum:
  23126. - json
  23127. - dotnet-json
  23128. - env
  23129. - yaml
  23130. - docker
  23131. type: string
  23132. nameTransformer:
  23133. description: Environment variable compatible name transforms that change secret names to a different format
  23134. enum:
  23135. - upper-camel
  23136. - camel
  23137. - lower-snake
  23138. - tf-var
  23139. - dotnet-env
  23140. - lower-kebab
  23141. type: string
  23142. project:
  23143. description: Doppler project (required if not using a Service Token)
  23144. type: string
  23145. required:
  23146. - auth
  23147. type: object
  23148. fake:
  23149. description: Fake configures a store with static key/value pairs
  23150. properties:
  23151. data:
  23152. items:
  23153. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  23154. properties:
  23155. key:
  23156. type: string
  23157. value:
  23158. type: string
  23159. version:
  23160. type: string
  23161. required:
  23162. - key
  23163. - value
  23164. type: object
  23165. type: array
  23166. required:
  23167. - data
  23168. type: object
  23169. fortanix:
  23170. description: Fortanix configures this store to sync secrets using the Fortanix provider
  23171. properties:
  23172. apiKey:
  23173. description: APIKey is the API token to access SDKMS Applications.
  23174. properties:
  23175. secretRef:
  23176. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  23177. properties:
  23178. key:
  23179. description: |-
  23180. A key in the referenced Secret.
  23181. Some instances of this field may be defaulted, in others it may be required.
  23182. maxLength: 253
  23183. minLength: 1
  23184. pattern: ^[-._a-zA-Z0-9]+$
  23185. type: string
  23186. name:
  23187. description: The name of the Secret resource being referred to.
  23188. maxLength: 253
  23189. minLength: 1
  23190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23191. type: string
  23192. namespace:
  23193. description: |-
  23194. The namespace of the Secret resource being referred to.
  23195. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23196. maxLength: 63
  23197. minLength: 1
  23198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23199. type: string
  23200. type: object
  23201. type: object
  23202. apiUrl:
  23203. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  23204. type: string
  23205. type: object
  23206. gcpsm:
  23207. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  23208. properties:
  23209. auth:
  23210. description: Auth defines the information necessary to authenticate against GCP
  23211. properties:
  23212. secretRef:
  23213. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  23214. properties:
  23215. secretAccessKeySecretRef:
  23216. description: The SecretAccessKey is used for authentication
  23217. properties:
  23218. key:
  23219. description: |-
  23220. A key in the referenced Secret.
  23221. Some instances of this field may be defaulted, in others it may be required.
  23222. maxLength: 253
  23223. minLength: 1
  23224. pattern: ^[-._a-zA-Z0-9]+$
  23225. type: string
  23226. name:
  23227. description: The name of the Secret resource being referred to.
  23228. maxLength: 253
  23229. minLength: 1
  23230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23231. type: string
  23232. namespace:
  23233. description: |-
  23234. The namespace of the Secret resource being referred to.
  23235. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23236. maxLength: 63
  23237. minLength: 1
  23238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23239. type: string
  23240. type: object
  23241. type: object
  23242. workloadIdentity:
  23243. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  23244. properties:
  23245. clusterLocation:
  23246. description: |-
  23247. ClusterLocation is the location of the cluster
  23248. If not specified, it fetches information from the metadata server
  23249. type: string
  23250. clusterName:
  23251. description: |-
  23252. ClusterName is the name of the cluster
  23253. If not specified, it fetches information from the metadata server
  23254. type: string
  23255. clusterProjectID:
  23256. description: |-
  23257. ClusterProjectID is the project ID of the cluster
  23258. If not specified, it fetches information from the metadata server
  23259. type: string
  23260. serviceAccountRef:
  23261. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  23262. properties:
  23263. audiences:
  23264. description: |-
  23265. Audience specifies the `aud` claim for the service account token
  23266. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23267. then this audiences will be appended to the list
  23268. items:
  23269. type: string
  23270. type: array
  23271. name:
  23272. description: The name of the ServiceAccount resource being referred to.
  23273. maxLength: 253
  23274. minLength: 1
  23275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23276. type: string
  23277. namespace:
  23278. description: |-
  23279. Namespace of the resource being referred to.
  23280. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23281. maxLength: 63
  23282. minLength: 1
  23283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23284. type: string
  23285. required:
  23286. - name
  23287. type: object
  23288. required:
  23289. - serviceAccountRef
  23290. type: object
  23291. type: object
  23292. location:
  23293. description: Location optionally defines a location for a secret
  23294. type: string
  23295. projectID:
  23296. description: ProjectID project where secret is located
  23297. type: string
  23298. type: object
  23299. github:
  23300. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  23301. properties:
  23302. appID:
  23303. description: appID specifies the Github APP that will be used to authenticate the client
  23304. format: int64
  23305. type: integer
  23306. auth:
  23307. description: auth configures how secret-manager authenticates with a Github instance.
  23308. properties:
  23309. privateKey:
  23310. description: |-
  23311. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23312. In some instances, `key` is a required field.
  23313. properties:
  23314. key:
  23315. description: |-
  23316. A key in the referenced Secret.
  23317. Some instances of this field may be defaulted, in others it may be required.
  23318. maxLength: 253
  23319. minLength: 1
  23320. pattern: ^[-._a-zA-Z0-9]+$
  23321. type: string
  23322. name:
  23323. description: The name of the Secret resource being referred to.
  23324. maxLength: 253
  23325. minLength: 1
  23326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23327. type: string
  23328. namespace:
  23329. description: |-
  23330. The namespace of the Secret resource being referred to.
  23331. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23332. maxLength: 63
  23333. minLength: 1
  23334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23335. type: string
  23336. type: object
  23337. required:
  23338. - privateKey
  23339. type: object
  23340. environment:
  23341. description: environment will be used to fetch secrets from a particular environment within a github repository
  23342. type: string
  23343. installationID:
  23344. description: installationID specifies the Github APP installation that will be used to authenticate the client
  23345. format: int64
  23346. type: integer
  23347. organization:
  23348. description: organization will be used to fetch secrets from the Github organization
  23349. type: string
  23350. repository:
  23351. description: repository will be used to fetch secrets from the Github repository within an organization
  23352. type: string
  23353. uploadURL:
  23354. description: Upload URL for enterprise instances. Default to URL.
  23355. type: string
  23356. url:
  23357. default: https://github.com/
  23358. description: URL configures the Github instance URL. Defaults to https://github.com/.
  23359. type: string
  23360. required:
  23361. - appID
  23362. - auth
  23363. - installationID
  23364. - organization
  23365. type: object
  23366. gitlab:
  23367. description: GitLab configures this store to sync secrets using GitLab Variables provider
  23368. properties:
  23369. auth:
  23370. description: Auth configures how secret-manager authenticates with a GitLab instance.
  23371. properties:
  23372. SecretRef:
  23373. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  23374. properties:
  23375. accessToken:
  23376. description: AccessToken is used for authentication.
  23377. properties:
  23378. key:
  23379. description: |-
  23380. A key in the referenced Secret.
  23381. Some instances of this field may be defaulted, in others it may be required.
  23382. maxLength: 253
  23383. minLength: 1
  23384. pattern: ^[-._a-zA-Z0-9]+$
  23385. type: string
  23386. name:
  23387. description: The name of the Secret resource being referred to.
  23388. maxLength: 253
  23389. minLength: 1
  23390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23391. type: string
  23392. namespace:
  23393. description: |-
  23394. The namespace of the Secret resource being referred to.
  23395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23396. maxLength: 63
  23397. minLength: 1
  23398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23399. type: string
  23400. type: object
  23401. type: object
  23402. required:
  23403. - SecretRef
  23404. type: object
  23405. caBundle:
  23406. description: |-
  23407. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  23408. can be performed.
  23409. format: byte
  23410. type: string
  23411. caProvider:
  23412. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  23413. properties:
  23414. key:
  23415. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23416. maxLength: 253
  23417. minLength: 1
  23418. pattern: ^[-._a-zA-Z0-9]+$
  23419. type: string
  23420. name:
  23421. description: The name of the object located at the provider type.
  23422. maxLength: 253
  23423. minLength: 1
  23424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23425. type: string
  23426. namespace:
  23427. description: |-
  23428. The namespace the Provider type is in.
  23429. Can only be defined when used in a ClusterSecretStore.
  23430. maxLength: 63
  23431. minLength: 1
  23432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23433. type: string
  23434. type:
  23435. description: The type of provider to use such as "Secret", or "ConfigMap".
  23436. enum:
  23437. - Secret
  23438. - ConfigMap
  23439. type: string
  23440. required:
  23441. - name
  23442. - type
  23443. type: object
  23444. environment:
  23445. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  23446. type: string
  23447. groupIDs:
  23448. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  23449. items:
  23450. type: string
  23451. type: array
  23452. inheritFromGroups:
  23453. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  23454. type: boolean
  23455. projectID:
  23456. description: ProjectID specifies a project where secrets are located.
  23457. type: string
  23458. url:
  23459. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  23460. type: string
  23461. required:
  23462. - auth
  23463. type: object
  23464. ibm:
  23465. description: IBM configures this store to sync secrets using IBM Cloud provider
  23466. properties:
  23467. auth:
  23468. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  23469. maxProperties: 1
  23470. minProperties: 1
  23471. properties:
  23472. containerAuth:
  23473. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  23474. properties:
  23475. iamEndpoint:
  23476. type: string
  23477. profile:
  23478. description: the IBM Trusted Profile
  23479. type: string
  23480. tokenLocation:
  23481. description: Location the token is mounted on the pod
  23482. type: string
  23483. required:
  23484. - profile
  23485. type: object
  23486. secretRef:
  23487. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  23488. properties:
  23489. secretApiKeySecretRef:
  23490. description: The SecretAccessKey is used for authentication
  23491. properties:
  23492. key:
  23493. description: |-
  23494. A key in the referenced Secret.
  23495. Some instances of this field may be defaulted, in others it may be required.
  23496. maxLength: 253
  23497. minLength: 1
  23498. pattern: ^[-._a-zA-Z0-9]+$
  23499. type: string
  23500. name:
  23501. description: The name of the Secret resource being referred to.
  23502. maxLength: 253
  23503. minLength: 1
  23504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23505. type: string
  23506. namespace:
  23507. description: |-
  23508. The namespace of the Secret resource being referred to.
  23509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23510. maxLength: 63
  23511. minLength: 1
  23512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23513. type: string
  23514. type: object
  23515. type: object
  23516. type: object
  23517. serviceUrl:
  23518. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  23519. type: string
  23520. required:
  23521. - auth
  23522. type: object
  23523. infisical:
  23524. description: Infisical configures this store to sync secrets using the Infisical provider
  23525. properties:
  23526. auth:
  23527. description: Auth configures how the Operator authenticates with the Infisical API
  23528. properties:
  23529. universalAuthCredentials:
  23530. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  23531. properties:
  23532. clientId:
  23533. description: |-
  23534. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23535. In some instances, `key` is a required field.
  23536. properties:
  23537. key:
  23538. description: |-
  23539. A key in the referenced Secret.
  23540. Some instances of this field may be defaulted, in others it may be required.
  23541. maxLength: 253
  23542. minLength: 1
  23543. pattern: ^[-._a-zA-Z0-9]+$
  23544. type: string
  23545. name:
  23546. description: The name of the Secret resource being referred to.
  23547. maxLength: 253
  23548. minLength: 1
  23549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23550. type: string
  23551. namespace:
  23552. description: |-
  23553. The namespace of the Secret resource being referred to.
  23554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23555. maxLength: 63
  23556. minLength: 1
  23557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23558. type: string
  23559. type: object
  23560. clientSecret:
  23561. description: |-
  23562. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23563. In some instances, `key` is a required field.
  23564. properties:
  23565. key:
  23566. description: |-
  23567. A key in the referenced Secret.
  23568. Some instances of this field may be defaulted, in others it may be required.
  23569. maxLength: 253
  23570. minLength: 1
  23571. pattern: ^[-._a-zA-Z0-9]+$
  23572. type: string
  23573. name:
  23574. description: The name of the Secret resource being referred to.
  23575. maxLength: 253
  23576. minLength: 1
  23577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23578. type: string
  23579. namespace:
  23580. description: |-
  23581. The namespace of the Secret resource being referred to.
  23582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23583. maxLength: 63
  23584. minLength: 1
  23585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23586. type: string
  23587. type: object
  23588. required:
  23589. - clientId
  23590. - clientSecret
  23591. type: object
  23592. type: object
  23593. hostAPI:
  23594. default: https://app.infisical.com/api
  23595. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  23596. type: string
  23597. secretsScope:
  23598. description: SecretsScope defines the scope of the secrets within the workspace
  23599. properties:
  23600. environmentSlug:
  23601. description: EnvironmentSlug is the required slug identifier for the environment.
  23602. type: string
  23603. expandSecretReferences:
  23604. default: true
  23605. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  23606. type: boolean
  23607. projectSlug:
  23608. description: ProjectSlug is the required slug identifier for the project.
  23609. type: string
  23610. recursive:
  23611. default: false
  23612. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  23613. type: boolean
  23614. secretsPath:
  23615. default: /
  23616. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  23617. type: string
  23618. required:
  23619. - environmentSlug
  23620. - projectSlug
  23621. type: object
  23622. required:
  23623. - auth
  23624. - secretsScope
  23625. type: object
  23626. keepersecurity:
  23627. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  23628. properties:
  23629. authRef:
  23630. description: |-
  23631. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23632. In some instances, `key` is a required field.
  23633. properties:
  23634. key:
  23635. description: |-
  23636. A key in the referenced Secret.
  23637. Some instances of this field may be defaulted, in others it may be required.
  23638. maxLength: 253
  23639. minLength: 1
  23640. pattern: ^[-._a-zA-Z0-9]+$
  23641. type: string
  23642. name:
  23643. description: The name of the Secret resource being referred to.
  23644. maxLength: 253
  23645. minLength: 1
  23646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23647. type: string
  23648. namespace:
  23649. description: |-
  23650. The namespace of the Secret resource being referred to.
  23651. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23652. maxLength: 63
  23653. minLength: 1
  23654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23655. type: string
  23656. type: object
  23657. folderID:
  23658. type: string
  23659. required:
  23660. - authRef
  23661. - folderID
  23662. type: object
  23663. kubernetes:
  23664. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  23665. properties:
  23666. auth:
  23667. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  23668. maxProperties: 1
  23669. minProperties: 1
  23670. properties:
  23671. cert:
  23672. description: has both clientCert and clientKey as secretKeySelector
  23673. properties:
  23674. clientCert:
  23675. description: |-
  23676. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23677. In some instances, `key` is a required field.
  23678. properties:
  23679. key:
  23680. description: |-
  23681. A key in the referenced Secret.
  23682. Some instances of this field may be defaulted, in others it may be required.
  23683. maxLength: 253
  23684. minLength: 1
  23685. pattern: ^[-._a-zA-Z0-9]+$
  23686. type: string
  23687. name:
  23688. description: The name of the Secret resource being referred to.
  23689. maxLength: 253
  23690. minLength: 1
  23691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23692. type: string
  23693. namespace:
  23694. description: |-
  23695. The namespace of the Secret resource being referred to.
  23696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23697. maxLength: 63
  23698. minLength: 1
  23699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23700. type: string
  23701. type: object
  23702. clientKey:
  23703. description: |-
  23704. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23705. In some instances, `key` is a required field.
  23706. properties:
  23707. key:
  23708. description: |-
  23709. A key in the referenced Secret.
  23710. Some instances of this field may be defaulted, in others it may be required.
  23711. maxLength: 253
  23712. minLength: 1
  23713. pattern: ^[-._a-zA-Z0-9]+$
  23714. type: string
  23715. name:
  23716. description: The name of the Secret resource being referred to.
  23717. maxLength: 253
  23718. minLength: 1
  23719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23720. type: string
  23721. namespace:
  23722. description: |-
  23723. The namespace of the Secret resource being referred to.
  23724. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23725. maxLength: 63
  23726. minLength: 1
  23727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23728. type: string
  23729. type: object
  23730. type: object
  23731. serviceAccount:
  23732. description: points to a service account that should be used for authentication
  23733. properties:
  23734. audiences:
  23735. description: |-
  23736. Audience specifies the `aud` claim for the service account token
  23737. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23738. then this audiences will be appended to the list
  23739. items:
  23740. type: string
  23741. type: array
  23742. name:
  23743. description: The name of the ServiceAccount resource being referred to.
  23744. maxLength: 253
  23745. minLength: 1
  23746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23747. type: string
  23748. namespace:
  23749. description: |-
  23750. Namespace of the resource being referred to.
  23751. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23752. maxLength: 63
  23753. minLength: 1
  23754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23755. type: string
  23756. required:
  23757. - name
  23758. type: object
  23759. token:
  23760. description: use static token to authenticate with
  23761. properties:
  23762. bearerToken:
  23763. description: |-
  23764. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23765. In some instances, `key` is a required field.
  23766. properties:
  23767. key:
  23768. description: |-
  23769. A key in the referenced Secret.
  23770. Some instances of this field may be defaulted, in others it may be required.
  23771. maxLength: 253
  23772. minLength: 1
  23773. pattern: ^[-._a-zA-Z0-9]+$
  23774. type: string
  23775. name:
  23776. description: The name of the Secret resource being referred to.
  23777. maxLength: 253
  23778. minLength: 1
  23779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23780. type: string
  23781. namespace:
  23782. description: |-
  23783. The namespace of the Secret resource being referred to.
  23784. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23785. maxLength: 63
  23786. minLength: 1
  23787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23788. type: string
  23789. type: object
  23790. type: object
  23791. type: object
  23792. authRef:
  23793. description: A reference to a secret that contains the auth information.
  23794. properties:
  23795. key:
  23796. description: |-
  23797. A key in the referenced Secret.
  23798. Some instances of this field may be defaulted, in others it may be required.
  23799. maxLength: 253
  23800. minLength: 1
  23801. pattern: ^[-._a-zA-Z0-9]+$
  23802. type: string
  23803. name:
  23804. description: The name of the Secret resource being referred to.
  23805. maxLength: 253
  23806. minLength: 1
  23807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23808. type: string
  23809. namespace:
  23810. description: |-
  23811. The namespace of the Secret resource being referred to.
  23812. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23813. maxLength: 63
  23814. minLength: 1
  23815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23816. type: string
  23817. type: object
  23818. remoteNamespace:
  23819. default: default
  23820. description: Remote namespace to fetch the secrets from
  23821. maxLength: 63
  23822. minLength: 1
  23823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23824. type: string
  23825. server:
  23826. description: configures the Kubernetes server Address.
  23827. properties:
  23828. caBundle:
  23829. description: CABundle is a base64-encoded CA certificate
  23830. format: byte
  23831. type: string
  23832. caProvider:
  23833. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23834. properties:
  23835. key:
  23836. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23837. maxLength: 253
  23838. minLength: 1
  23839. pattern: ^[-._a-zA-Z0-9]+$
  23840. type: string
  23841. name:
  23842. description: The name of the object located at the provider type.
  23843. maxLength: 253
  23844. minLength: 1
  23845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23846. type: string
  23847. namespace:
  23848. description: |-
  23849. The namespace the Provider type is in.
  23850. Can only be defined when used in a ClusterSecretStore.
  23851. maxLength: 63
  23852. minLength: 1
  23853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23854. type: string
  23855. type:
  23856. description: The type of provider to use such as "Secret", or "ConfigMap".
  23857. enum:
  23858. - Secret
  23859. - ConfigMap
  23860. type: string
  23861. required:
  23862. - name
  23863. - type
  23864. type: object
  23865. url:
  23866. default: kubernetes.default
  23867. description: configures the Kubernetes server Address.
  23868. type: string
  23869. type: object
  23870. type: object
  23871. onboardbase:
  23872. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23873. properties:
  23874. apiHost:
  23875. default: https://public.onboardbase.com/api/v1/
  23876. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23877. type: string
  23878. auth:
  23879. description: Auth configures how the Operator authenticates with the Onboardbase API
  23880. properties:
  23881. apiKeyRef:
  23882. description: |-
  23883. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23884. It is used to recognize and authorize access to a project and environment within onboardbase
  23885. properties:
  23886. key:
  23887. description: |-
  23888. A key in the referenced Secret.
  23889. Some instances of this field may be defaulted, in others it may be required.
  23890. maxLength: 253
  23891. minLength: 1
  23892. pattern: ^[-._a-zA-Z0-9]+$
  23893. type: string
  23894. name:
  23895. description: The name of the Secret resource being referred to.
  23896. maxLength: 253
  23897. minLength: 1
  23898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23899. type: string
  23900. namespace:
  23901. description: |-
  23902. The namespace of the Secret resource being referred to.
  23903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23904. maxLength: 63
  23905. minLength: 1
  23906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23907. type: string
  23908. type: object
  23909. passcodeRef:
  23910. description: OnboardbasePasscode is the passcode attached to the API Key
  23911. properties:
  23912. key:
  23913. description: |-
  23914. A key in the referenced Secret.
  23915. Some instances of this field may be defaulted, in others it may be required.
  23916. maxLength: 253
  23917. minLength: 1
  23918. pattern: ^[-._a-zA-Z0-9]+$
  23919. type: string
  23920. name:
  23921. description: The name of the Secret resource being referred to.
  23922. maxLength: 253
  23923. minLength: 1
  23924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23925. type: string
  23926. namespace:
  23927. description: |-
  23928. The namespace of the Secret resource being referred to.
  23929. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23930. maxLength: 63
  23931. minLength: 1
  23932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23933. type: string
  23934. type: object
  23935. required:
  23936. - apiKeyRef
  23937. - passcodeRef
  23938. type: object
  23939. environment:
  23940. default: development
  23941. description: Environment is the name of an environmnent within a project to pull the secrets from
  23942. type: string
  23943. project:
  23944. default: development
  23945. description: Project is an onboardbase project that the secrets should be pulled from
  23946. type: string
  23947. required:
  23948. - apiHost
  23949. - auth
  23950. - environment
  23951. - project
  23952. type: object
  23953. onepassword:
  23954. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  23955. properties:
  23956. auth:
  23957. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  23958. properties:
  23959. secretRef:
  23960. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  23961. properties:
  23962. connectTokenSecretRef:
  23963. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  23964. properties:
  23965. key:
  23966. description: |-
  23967. A key in the referenced Secret.
  23968. Some instances of this field may be defaulted, in others it may be required.
  23969. maxLength: 253
  23970. minLength: 1
  23971. pattern: ^[-._a-zA-Z0-9]+$
  23972. type: string
  23973. name:
  23974. description: The name of the Secret resource being referred to.
  23975. maxLength: 253
  23976. minLength: 1
  23977. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23978. type: string
  23979. namespace:
  23980. description: |-
  23981. The namespace of the Secret resource being referred to.
  23982. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23983. maxLength: 63
  23984. minLength: 1
  23985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23986. type: string
  23987. type: object
  23988. required:
  23989. - connectTokenSecretRef
  23990. type: object
  23991. required:
  23992. - secretRef
  23993. type: object
  23994. connectHost:
  23995. description: ConnectHost defines the OnePassword Connect Server to connect to
  23996. type: string
  23997. vaults:
  23998. additionalProperties:
  23999. type: integer
  24000. description: Vaults defines which OnePassword vaults to search in which order
  24001. type: object
  24002. required:
  24003. - auth
  24004. - connectHost
  24005. - vaults
  24006. type: object
  24007. oracle:
  24008. description: Oracle configures this store to sync secrets using Oracle Vault provider
  24009. properties:
  24010. auth:
  24011. description: |-
  24012. Auth configures how secret-manager authenticates with the Oracle Vault.
  24013. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  24014. properties:
  24015. secretRef:
  24016. description: SecretRef to pass through sensitive information.
  24017. properties:
  24018. fingerprint:
  24019. description: Fingerprint is the fingerprint of the API private key.
  24020. properties:
  24021. key:
  24022. description: |-
  24023. A key in the referenced Secret.
  24024. Some instances of this field may be defaulted, in others it may be required.
  24025. maxLength: 253
  24026. minLength: 1
  24027. pattern: ^[-._a-zA-Z0-9]+$
  24028. type: string
  24029. name:
  24030. description: The name of the Secret resource being referred to.
  24031. maxLength: 253
  24032. minLength: 1
  24033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24034. type: string
  24035. namespace:
  24036. description: |-
  24037. The namespace of the Secret resource being referred to.
  24038. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24039. maxLength: 63
  24040. minLength: 1
  24041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24042. type: string
  24043. type: object
  24044. privatekey:
  24045. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  24046. properties:
  24047. key:
  24048. description: |-
  24049. A key in the referenced Secret.
  24050. Some instances of this field may be defaulted, in others it may be required.
  24051. maxLength: 253
  24052. minLength: 1
  24053. pattern: ^[-._a-zA-Z0-9]+$
  24054. type: string
  24055. name:
  24056. description: The name of the Secret resource being referred to.
  24057. maxLength: 253
  24058. minLength: 1
  24059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24060. type: string
  24061. namespace:
  24062. description: |-
  24063. The namespace of the Secret resource being referred to.
  24064. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24065. maxLength: 63
  24066. minLength: 1
  24067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24068. type: string
  24069. type: object
  24070. required:
  24071. - fingerprint
  24072. - privatekey
  24073. type: object
  24074. tenancy:
  24075. description: Tenancy is the tenancy OCID where user is located.
  24076. type: string
  24077. user:
  24078. description: User is an access OCID specific to the account.
  24079. type: string
  24080. required:
  24081. - secretRef
  24082. - tenancy
  24083. - user
  24084. type: object
  24085. compartment:
  24086. description: |-
  24087. Compartment is the vault compartment OCID.
  24088. Required for PushSecret
  24089. type: string
  24090. encryptionKey:
  24091. description: |-
  24092. EncryptionKey is the OCID of the encryption key within the vault.
  24093. Required for PushSecret
  24094. type: string
  24095. principalType:
  24096. description: |-
  24097. The type of principal to use for authentication. If left blank, the Auth struct will
  24098. determine the principal type. This optional field must be specified if using
  24099. workload identity.
  24100. enum:
  24101. - ""
  24102. - UserPrincipal
  24103. - InstancePrincipal
  24104. - Workload
  24105. type: string
  24106. region:
  24107. description: Region is the region where vault is located.
  24108. type: string
  24109. serviceAccountRef:
  24110. description: |-
  24111. ServiceAccountRef specified the service account
  24112. that should be used when authenticating with WorkloadIdentity.
  24113. properties:
  24114. audiences:
  24115. description: |-
  24116. Audience specifies the `aud` claim for the service account token
  24117. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24118. then this audiences will be appended to the list
  24119. items:
  24120. type: string
  24121. type: array
  24122. name:
  24123. description: The name of the ServiceAccount resource being referred to.
  24124. maxLength: 253
  24125. minLength: 1
  24126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24127. type: string
  24128. namespace:
  24129. description: |-
  24130. Namespace of the resource being referred to.
  24131. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24132. maxLength: 63
  24133. minLength: 1
  24134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24135. type: string
  24136. required:
  24137. - name
  24138. type: object
  24139. vault:
  24140. description: Vault is the vault's OCID of the specific vault where secret is located.
  24141. type: string
  24142. required:
  24143. - region
  24144. - vault
  24145. type: object
  24146. passbolt:
  24147. description: PassboltProvider defines configuration for the Passbolt provider.
  24148. properties:
  24149. auth:
  24150. description: Auth defines the information necessary to authenticate against Passbolt Server
  24151. properties:
  24152. passwordSecretRef:
  24153. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  24154. properties:
  24155. key:
  24156. description: |-
  24157. A key in the referenced Secret.
  24158. Some instances of this field may be defaulted, in others it may be required.
  24159. maxLength: 253
  24160. minLength: 1
  24161. pattern: ^[-._a-zA-Z0-9]+$
  24162. type: string
  24163. name:
  24164. description: The name of the Secret resource being referred to.
  24165. maxLength: 253
  24166. minLength: 1
  24167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24168. type: string
  24169. namespace:
  24170. description: |-
  24171. The namespace of the Secret resource being referred to.
  24172. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24173. maxLength: 63
  24174. minLength: 1
  24175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24176. type: string
  24177. type: object
  24178. privateKeySecretRef:
  24179. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  24180. properties:
  24181. key:
  24182. description: |-
  24183. A key in the referenced Secret.
  24184. Some instances of this field may be defaulted, in others it may be required.
  24185. maxLength: 253
  24186. minLength: 1
  24187. pattern: ^[-._a-zA-Z0-9]+$
  24188. type: string
  24189. name:
  24190. description: The name of the Secret resource being referred to.
  24191. maxLength: 253
  24192. minLength: 1
  24193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24194. type: string
  24195. namespace:
  24196. description: |-
  24197. The namespace of the Secret resource being referred to.
  24198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24199. maxLength: 63
  24200. minLength: 1
  24201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24202. type: string
  24203. type: object
  24204. required:
  24205. - passwordSecretRef
  24206. - privateKeySecretRef
  24207. type: object
  24208. host:
  24209. description: Host defines the Passbolt Server to connect to
  24210. type: string
  24211. required:
  24212. - auth
  24213. - host
  24214. type: object
  24215. passworddepot:
  24216. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  24217. properties:
  24218. auth:
  24219. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  24220. properties:
  24221. secretRef:
  24222. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  24223. properties:
  24224. credentials:
  24225. description: Username / Password is used for authentication.
  24226. properties:
  24227. key:
  24228. description: |-
  24229. A key in the referenced Secret.
  24230. Some instances of this field may be defaulted, in others it may be required.
  24231. maxLength: 253
  24232. minLength: 1
  24233. pattern: ^[-._a-zA-Z0-9]+$
  24234. type: string
  24235. name:
  24236. description: The name of the Secret resource being referred to.
  24237. maxLength: 253
  24238. minLength: 1
  24239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24240. type: string
  24241. namespace:
  24242. description: |-
  24243. The namespace of the Secret resource being referred to.
  24244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24245. maxLength: 63
  24246. minLength: 1
  24247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24248. type: string
  24249. type: object
  24250. type: object
  24251. required:
  24252. - secretRef
  24253. type: object
  24254. database:
  24255. description: Database to use as source
  24256. type: string
  24257. host:
  24258. description: URL configures the Password Depot instance URL.
  24259. type: string
  24260. required:
  24261. - auth
  24262. - database
  24263. - host
  24264. type: object
  24265. previder:
  24266. description: Previder configures this store to sync secrets using the Previder provider
  24267. properties:
  24268. auth:
  24269. description: PreviderAuth contains a secretRef for credentials.
  24270. properties:
  24271. secretRef:
  24272. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  24273. properties:
  24274. accessToken:
  24275. description: The AccessToken is used for authentication
  24276. properties:
  24277. key:
  24278. description: |-
  24279. A key in the referenced Secret.
  24280. Some instances of this field may be defaulted, in others it may be required.
  24281. maxLength: 253
  24282. minLength: 1
  24283. pattern: ^[-._a-zA-Z0-9]+$
  24284. type: string
  24285. name:
  24286. description: The name of the Secret resource being referred to.
  24287. maxLength: 253
  24288. minLength: 1
  24289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24290. type: string
  24291. namespace:
  24292. description: |-
  24293. The namespace of the Secret resource being referred to.
  24294. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24295. maxLength: 63
  24296. minLength: 1
  24297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24298. type: string
  24299. type: object
  24300. required:
  24301. - accessToken
  24302. type: object
  24303. type: object
  24304. baseUri:
  24305. type: string
  24306. required:
  24307. - auth
  24308. type: object
  24309. pulumi:
  24310. description: Pulumi configures this store to sync secrets using the Pulumi provider
  24311. properties:
  24312. accessToken:
  24313. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  24314. properties:
  24315. secretRef:
  24316. description: SecretRef is a reference to a secret containing the Pulumi API token.
  24317. properties:
  24318. key:
  24319. description: |-
  24320. A key in the referenced Secret.
  24321. Some instances of this field may be defaulted, in others it may be required.
  24322. maxLength: 253
  24323. minLength: 1
  24324. pattern: ^[-._a-zA-Z0-9]+$
  24325. type: string
  24326. name:
  24327. description: The name of the Secret resource being referred to.
  24328. maxLength: 253
  24329. minLength: 1
  24330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24331. type: string
  24332. namespace:
  24333. description: |-
  24334. The namespace of the Secret resource being referred to.
  24335. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24336. maxLength: 63
  24337. minLength: 1
  24338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24339. type: string
  24340. type: object
  24341. type: object
  24342. apiUrl:
  24343. default: https://api.pulumi.com/api/esc
  24344. description: APIURL is the URL of the Pulumi API.
  24345. type: string
  24346. environment:
  24347. description: |-
  24348. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  24349. dynamically retrieved values from supported providers including all major clouds,
  24350. and other Pulumi ESC environments.
  24351. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  24352. type: string
  24353. organization:
  24354. description: |-
  24355. Organization are a space to collaborate on shared projects and stacks.
  24356. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  24357. type: string
  24358. project:
  24359. description: Project is the name of the Pulumi ESC project the environment belongs to.
  24360. type: string
  24361. required:
  24362. - accessToken
  24363. - environment
  24364. - organization
  24365. - project
  24366. type: object
  24367. scaleway:
  24368. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  24369. properties:
  24370. accessKey:
  24371. description: AccessKey is the non-secret part of the api key.
  24372. properties:
  24373. secretRef:
  24374. description: SecretRef references a key in a secret that will be used as value.
  24375. properties:
  24376. key:
  24377. description: |-
  24378. A key in the referenced Secret.
  24379. Some instances of this field may be defaulted, in others it may be required.
  24380. maxLength: 253
  24381. minLength: 1
  24382. pattern: ^[-._a-zA-Z0-9]+$
  24383. type: string
  24384. name:
  24385. description: The name of the Secret resource being referred to.
  24386. maxLength: 253
  24387. minLength: 1
  24388. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24389. type: string
  24390. namespace:
  24391. description: |-
  24392. The namespace of the Secret resource being referred to.
  24393. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24394. maxLength: 63
  24395. minLength: 1
  24396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24397. type: string
  24398. type: object
  24399. value:
  24400. description: Value can be specified directly to set a value without using a secret.
  24401. type: string
  24402. type: object
  24403. apiUrl:
  24404. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  24405. type: string
  24406. projectId:
  24407. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  24408. type: string
  24409. region:
  24410. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  24411. type: string
  24412. secretKey:
  24413. description: SecretKey is the non-secret part of the api key.
  24414. properties:
  24415. secretRef:
  24416. description: SecretRef references a key in a secret that will be used as value.
  24417. properties:
  24418. key:
  24419. description: |-
  24420. A key in the referenced Secret.
  24421. Some instances of this field may be defaulted, in others it may be required.
  24422. maxLength: 253
  24423. minLength: 1
  24424. pattern: ^[-._a-zA-Z0-9]+$
  24425. type: string
  24426. name:
  24427. description: The name of the Secret resource being referred to.
  24428. maxLength: 253
  24429. minLength: 1
  24430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24431. type: string
  24432. namespace:
  24433. description: |-
  24434. The namespace of the Secret resource being referred to.
  24435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24436. maxLength: 63
  24437. minLength: 1
  24438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24439. type: string
  24440. type: object
  24441. value:
  24442. description: Value can be specified directly to set a value without using a secret.
  24443. type: string
  24444. type: object
  24445. required:
  24446. - accessKey
  24447. - projectId
  24448. - region
  24449. - secretKey
  24450. type: object
  24451. secretserver:
  24452. description: |-
  24453. SecretServer configures this store to sync secrets using SecretServer provider
  24454. https://docs.delinea.com/online-help/secret-server/start.htm
  24455. properties:
  24456. password:
  24457. description: Password is the secret server account password.
  24458. properties:
  24459. secretRef:
  24460. description: SecretRef references a key in a secret that will be used as value.
  24461. properties:
  24462. key:
  24463. description: |-
  24464. A key in the referenced Secret.
  24465. Some instances of this field may be defaulted, in others it may be required.
  24466. maxLength: 253
  24467. minLength: 1
  24468. pattern: ^[-._a-zA-Z0-9]+$
  24469. type: string
  24470. name:
  24471. description: The name of the Secret resource being referred to.
  24472. maxLength: 253
  24473. minLength: 1
  24474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24475. type: string
  24476. namespace:
  24477. description: |-
  24478. The namespace of the Secret resource being referred to.
  24479. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24480. maxLength: 63
  24481. minLength: 1
  24482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24483. type: string
  24484. type: object
  24485. value:
  24486. description: Value can be specified directly to set a value without using a secret.
  24487. type: string
  24488. type: object
  24489. serverURL:
  24490. description: |-
  24491. ServerURL
  24492. URL to your secret server installation
  24493. type: string
  24494. username:
  24495. description: Username is the secret server account username.
  24496. properties:
  24497. secretRef:
  24498. description: SecretRef references a key in a secret that will be used as value.
  24499. properties:
  24500. key:
  24501. description: |-
  24502. A key in the referenced Secret.
  24503. Some instances of this field may be defaulted, in others it may be required.
  24504. maxLength: 253
  24505. minLength: 1
  24506. pattern: ^[-._a-zA-Z0-9]+$
  24507. type: string
  24508. name:
  24509. description: The name of the Secret resource being referred to.
  24510. maxLength: 253
  24511. minLength: 1
  24512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24513. type: string
  24514. namespace:
  24515. description: |-
  24516. The namespace of the Secret resource being referred to.
  24517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24518. maxLength: 63
  24519. minLength: 1
  24520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24521. type: string
  24522. type: object
  24523. value:
  24524. description: Value can be specified directly to set a value without using a secret.
  24525. type: string
  24526. type: object
  24527. required:
  24528. - password
  24529. - serverURL
  24530. - username
  24531. type: object
  24532. senhasegura:
  24533. description: Senhasegura configures this store to sync secrets using senhasegura provider
  24534. properties:
  24535. auth:
  24536. description: Auth defines parameters to authenticate in senhasegura
  24537. properties:
  24538. clientId:
  24539. type: string
  24540. clientSecretSecretRef:
  24541. description: |-
  24542. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24543. In some instances, `key` is a required field.
  24544. properties:
  24545. key:
  24546. description: |-
  24547. A key in the referenced Secret.
  24548. Some instances of this field may be defaulted, in others it may be required.
  24549. maxLength: 253
  24550. minLength: 1
  24551. pattern: ^[-._a-zA-Z0-9]+$
  24552. type: string
  24553. name:
  24554. description: The name of the Secret resource being referred to.
  24555. maxLength: 253
  24556. minLength: 1
  24557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24558. type: string
  24559. namespace:
  24560. description: |-
  24561. The namespace of the Secret resource being referred to.
  24562. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24563. maxLength: 63
  24564. minLength: 1
  24565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24566. type: string
  24567. type: object
  24568. required:
  24569. - clientId
  24570. - clientSecretSecretRef
  24571. type: object
  24572. ignoreSslCertificate:
  24573. default: false
  24574. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  24575. type: boolean
  24576. module:
  24577. description: Module defines which senhasegura module should be used to get secrets
  24578. type: string
  24579. url:
  24580. description: URL of senhasegura
  24581. type: string
  24582. required:
  24583. - auth
  24584. - module
  24585. - url
  24586. type: object
  24587. vault:
  24588. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  24589. properties:
  24590. auth:
  24591. description: Auth configures how secret-manager authenticates with the Vault server.
  24592. properties:
  24593. appRole:
  24594. description: |-
  24595. AppRole authenticates with Vault using the App Role auth mechanism,
  24596. with the role and secret stored in a Kubernetes Secret resource.
  24597. properties:
  24598. path:
  24599. default: approle
  24600. description: |-
  24601. Path where the App Role authentication backend is mounted
  24602. in Vault, e.g: "approle"
  24603. type: string
  24604. roleId:
  24605. description: |-
  24606. RoleID configured in the App Role authentication backend when setting
  24607. up the authentication backend in Vault.
  24608. type: string
  24609. roleRef:
  24610. description: |-
  24611. Reference to a key in a Secret that contains the App Role ID used
  24612. to authenticate with Vault.
  24613. The `key` field must be specified and denotes which entry within the Secret
  24614. resource is used as the app role id.
  24615. properties:
  24616. key:
  24617. description: |-
  24618. A key in the referenced Secret.
  24619. Some instances of this field may be defaulted, in others it may be required.
  24620. maxLength: 253
  24621. minLength: 1
  24622. pattern: ^[-._a-zA-Z0-9]+$
  24623. type: string
  24624. name:
  24625. description: The name of the Secret resource being referred to.
  24626. maxLength: 253
  24627. minLength: 1
  24628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24629. type: string
  24630. namespace:
  24631. description: |-
  24632. The namespace of the Secret resource being referred to.
  24633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24634. maxLength: 63
  24635. minLength: 1
  24636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24637. type: string
  24638. type: object
  24639. secretRef:
  24640. description: |-
  24641. Reference to a key in a Secret that contains the App Role secret used
  24642. to authenticate with Vault.
  24643. The `key` field must be specified and denotes which entry within the Secret
  24644. resource is used as the app role secret.
  24645. properties:
  24646. key:
  24647. description: |-
  24648. A key in the referenced Secret.
  24649. Some instances of this field may be defaulted, in others it may be required.
  24650. maxLength: 253
  24651. minLength: 1
  24652. pattern: ^[-._a-zA-Z0-9]+$
  24653. type: string
  24654. name:
  24655. description: The name of the Secret resource being referred to.
  24656. maxLength: 253
  24657. minLength: 1
  24658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24659. type: string
  24660. namespace:
  24661. description: |-
  24662. The namespace of the Secret resource being referred to.
  24663. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24664. maxLength: 63
  24665. minLength: 1
  24666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24667. type: string
  24668. type: object
  24669. required:
  24670. - path
  24671. - secretRef
  24672. type: object
  24673. cert:
  24674. description: |-
  24675. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  24676. Cert authentication method
  24677. properties:
  24678. clientCert:
  24679. description: |-
  24680. ClientCert is a certificate to authenticate using the Cert Vault
  24681. authentication method
  24682. properties:
  24683. key:
  24684. description: |-
  24685. A key in the referenced Secret.
  24686. Some instances of this field may be defaulted, in others it may be required.
  24687. maxLength: 253
  24688. minLength: 1
  24689. pattern: ^[-._a-zA-Z0-9]+$
  24690. type: string
  24691. name:
  24692. description: The name of the Secret resource being referred to.
  24693. maxLength: 253
  24694. minLength: 1
  24695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24696. type: string
  24697. namespace:
  24698. description: |-
  24699. The namespace of the Secret resource being referred to.
  24700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24701. maxLength: 63
  24702. minLength: 1
  24703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24704. type: string
  24705. type: object
  24706. secretRef:
  24707. description: |-
  24708. SecretRef to a key in a Secret resource containing client private key to
  24709. authenticate with Vault using the Cert authentication method
  24710. properties:
  24711. key:
  24712. description: |-
  24713. A key in the referenced Secret.
  24714. Some instances of this field may be defaulted, in others it may be required.
  24715. maxLength: 253
  24716. minLength: 1
  24717. pattern: ^[-._a-zA-Z0-9]+$
  24718. type: string
  24719. name:
  24720. description: The name of the Secret resource being referred to.
  24721. maxLength: 253
  24722. minLength: 1
  24723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24724. type: string
  24725. namespace:
  24726. description: |-
  24727. The namespace of the Secret resource being referred to.
  24728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24729. maxLength: 63
  24730. minLength: 1
  24731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24732. type: string
  24733. type: object
  24734. type: object
  24735. iam:
  24736. description: |-
  24737. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  24738. AWS IAM authentication method
  24739. properties:
  24740. externalID:
  24741. description: AWS External ID set on assumed IAM roles
  24742. type: string
  24743. jwt:
  24744. description: Specify a service account with IRSA enabled
  24745. properties:
  24746. serviceAccountRef:
  24747. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  24748. properties:
  24749. audiences:
  24750. description: |-
  24751. Audience specifies the `aud` claim for the service account token
  24752. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24753. then this audiences will be appended to the list
  24754. items:
  24755. type: string
  24756. type: array
  24757. name:
  24758. description: The name of the ServiceAccount resource being referred to.
  24759. maxLength: 253
  24760. minLength: 1
  24761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24762. type: string
  24763. namespace:
  24764. description: |-
  24765. Namespace of the resource being referred to.
  24766. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24767. maxLength: 63
  24768. minLength: 1
  24769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24770. type: string
  24771. required:
  24772. - name
  24773. type: object
  24774. type: object
  24775. path:
  24776. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  24777. type: string
  24778. region:
  24779. description: AWS region
  24780. type: string
  24781. role:
  24782. description: This is the AWS role to be assumed before talking to vault
  24783. type: string
  24784. secretRef:
  24785. description: Specify credentials in a Secret object
  24786. properties:
  24787. accessKeyIDSecretRef:
  24788. description: The AccessKeyID is used for authentication
  24789. properties:
  24790. key:
  24791. description: |-
  24792. A key in the referenced Secret.
  24793. Some instances of this field may be defaulted, in others it may be required.
  24794. maxLength: 253
  24795. minLength: 1
  24796. pattern: ^[-._a-zA-Z0-9]+$
  24797. type: string
  24798. name:
  24799. description: The name of the Secret resource being referred to.
  24800. maxLength: 253
  24801. minLength: 1
  24802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24803. type: string
  24804. namespace:
  24805. description: |-
  24806. The namespace of the Secret resource being referred to.
  24807. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24808. maxLength: 63
  24809. minLength: 1
  24810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24811. type: string
  24812. type: object
  24813. secretAccessKeySecretRef:
  24814. description: The SecretAccessKey is used for authentication
  24815. properties:
  24816. key:
  24817. description: |-
  24818. A key in the referenced Secret.
  24819. Some instances of this field may be defaulted, in others it may be required.
  24820. maxLength: 253
  24821. minLength: 1
  24822. pattern: ^[-._a-zA-Z0-9]+$
  24823. type: string
  24824. name:
  24825. description: The name of the Secret resource being referred to.
  24826. maxLength: 253
  24827. minLength: 1
  24828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24829. type: string
  24830. namespace:
  24831. description: |-
  24832. The namespace of the Secret resource being referred to.
  24833. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24834. maxLength: 63
  24835. minLength: 1
  24836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24837. type: string
  24838. type: object
  24839. sessionTokenSecretRef:
  24840. description: |-
  24841. The SessionToken used for authentication
  24842. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24843. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24844. properties:
  24845. key:
  24846. description: |-
  24847. A key in the referenced Secret.
  24848. Some instances of this field may be defaulted, in others it may be required.
  24849. maxLength: 253
  24850. minLength: 1
  24851. pattern: ^[-._a-zA-Z0-9]+$
  24852. type: string
  24853. name:
  24854. description: The name of the Secret resource being referred to.
  24855. maxLength: 253
  24856. minLength: 1
  24857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24858. type: string
  24859. namespace:
  24860. description: |-
  24861. The namespace of the Secret resource being referred to.
  24862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24863. maxLength: 63
  24864. minLength: 1
  24865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24866. type: string
  24867. type: object
  24868. type: object
  24869. vaultAwsIamServerID:
  24870. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24871. type: string
  24872. vaultRole:
  24873. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24874. type: string
  24875. required:
  24876. - vaultRole
  24877. type: object
  24878. jwt:
  24879. description: |-
  24880. Jwt authenticates with Vault by passing role and JWT token using the
  24881. JWT/OIDC authentication method
  24882. properties:
  24883. kubernetesServiceAccountToken:
  24884. description: |-
  24885. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24886. a token for with the `TokenRequest` API.
  24887. properties:
  24888. audiences:
  24889. description: |-
  24890. Optional audiences field that will be used to request a temporary Kubernetes service
  24891. account token for the service account referenced by `serviceAccountRef`.
  24892. Defaults to a single audience `vault` it not specified.
  24893. Deprecated: use serviceAccountRef.Audiences instead
  24894. items:
  24895. type: string
  24896. type: array
  24897. expirationSeconds:
  24898. description: |-
  24899. Optional expiration time in seconds that will be used to request a temporary
  24900. Kubernetes service account token for the service account referenced by
  24901. `serviceAccountRef`.
  24902. Deprecated: this will be removed in the future.
  24903. Defaults to 10 minutes.
  24904. format: int64
  24905. type: integer
  24906. serviceAccountRef:
  24907. description: Service account field containing the name of a kubernetes ServiceAccount.
  24908. properties:
  24909. audiences:
  24910. description: |-
  24911. Audience specifies the `aud` claim for the service account token
  24912. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24913. then this audiences will be appended to the list
  24914. items:
  24915. type: string
  24916. type: array
  24917. name:
  24918. description: The name of the ServiceAccount resource being referred to.
  24919. maxLength: 253
  24920. minLength: 1
  24921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24922. type: string
  24923. namespace:
  24924. description: |-
  24925. Namespace of the resource being referred to.
  24926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24927. maxLength: 63
  24928. minLength: 1
  24929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24930. type: string
  24931. required:
  24932. - name
  24933. type: object
  24934. required:
  24935. - serviceAccountRef
  24936. type: object
  24937. path:
  24938. default: jwt
  24939. description: |-
  24940. Path where the JWT authentication backend is mounted
  24941. in Vault, e.g: "jwt"
  24942. type: string
  24943. role:
  24944. description: |-
  24945. Role is a JWT role to authenticate using the JWT/OIDC Vault
  24946. authentication method
  24947. type: string
  24948. secretRef:
  24949. description: |-
  24950. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  24951. authenticate with Vault using the JWT/OIDC authentication method.
  24952. properties:
  24953. key:
  24954. description: |-
  24955. A key in the referenced Secret.
  24956. Some instances of this field may be defaulted, in others it may be required.
  24957. maxLength: 253
  24958. minLength: 1
  24959. pattern: ^[-._a-zA-Z0-9]+$
  24960. type: string
  24961. name:
  24962. description: The name of the Secret resource being referred to.
  24963. maxLength: 253
  24964. minLength: 1
  24965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24966. type: string
  24967. namespace:
  24968. description: |-
  24969. The namespace of the Secret resource being referred to.
  24970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24971. maxLength: 63
  24972. minLength: 1
  24973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24974. type: string
  24975. type: object
  24976. required:
  24977. - path
  24978. type: object
  24979. kubernetes:
  24980. description: |-
  24981. Kubernetes authenticates with Vault by passing the ServiceAccount
  24982. token stored in the named Secret resource to the Vault server.
  24983. properties:
  24984. mountPath:
  24985. default: kubernetes
  24986. description: |-
  24987. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  24988. "kubernetes"
  24989. type: string
  24990. role:
  24991. description: |-
  24992. A required field containing the Vault Role to assume. A Role binds a
  24993. Kubernetes ServiceAccount with a set of Vault policies.
  24994. type: string
  24995. secretRef:
  24996. description: |-
  24997. Optional secret field containing a Kubernetes ServiceAccount JWT used
  24998. for authenticating with Vault. If a name is specified without a key,
  24999. `token` is the default. If one is not specified, the one bound to
  25000. the controller will be used.
  25001. properties:
  25002. key:
  25003. description: |-
  25004. A key in the referenced Secret.
  25005. Some instances of this field may be defaulted, in others it may be required.
  25006. maxLength: 253
  25007. minLength: 1
  25008. pattern: ^[-._a-zA-Z0-9]+$
  25009. type: string
  25010. name:
  25011. description: The name of the Secret resource being referred to.
  25012. maxLength: 253
  25013. minLength: 1
  25014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25015. type: string
  25016. namespace:
  25017. description: |-
  25018. The namespace of the Secret resource being referred to.
  25019. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25020. maxLength: 63
  25021. minLength: 1
  25022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25023. type: string
  25024. type: object
  25025. serviceAccountRef:
  25026. description: |-
  25027. Optional service account field containing the name of a kubernetes ServiceAccount.
  25028. If the service account is specified, the service account secret token JWT will be used
  25029. for authenticating with Vault. If the service account selector is not supplied,
  25030. the secretRef will be used instead.
  25031. properties:
  25032. audiences:
  25033. description: |-
  25034. Audience specifies the `aud` claim for the service account token
  25035. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25036. then this audiences will be appended to the list
  25037. items:
  25038. type: string
  25039. type: array
  25040. name:
  25041. description: The name of the ServiceAccount resource being referred to.
  25042. maxLength: 253
  25043. minLength: 1
  25044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25045. type: string
  25046. namespace:
  25047. description: |-
  25048. Namespace of the resource being referred to.
  25049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25050. maxLength: 63
  25051. minLength: 1
  25052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25053. type: string
  25054. required:
  25055. - name
  25056. type: object
  25057. required:
  25058. - mountPath
  25059. - role
  25060. type: object
  25061. ldap:
  25062. description: |-
  25063. Ldap authenticates with Vault by passing username/password pair using
  25064. the LDAP authentication method
  25065. properties:
  25066. path:
  25067. default: ldap
  25068. description: |-
  25069. Path where the LDAP authentication backend is mounted
  25070. in Vault, e.g: "ldap"
  25071. type: string
  25072. secretRef:
  25073. description: |-
  25074. SecretRef to a key in a Secret resource containing password for the LDAP
  25075. user used to authenticate with Vault using the LDAP authentication
  25076. method
  25077. properties:
  25078. key:
  25079. description: |-
  25080. A key in the referenced Secret.
  25081. Some instances of this field may be defaulted, in others it may be required.
  25082. maxLength: 253
  25083. minLength: 1
  25084. pattern: ^[-._a-zA-Z0-9]+$
  25085. type: string
  25086. name:
  25087. description: The name of the Secret resource being referred to.
  25088. maxLength: 253
  25089. minLength: 1
  25090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25091. type: string
  25092. namespace:
  25093. description: |-
  25094. The namespace of the Secret resource being referred to.
  25095. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25096. maxLength: 63
  25097. minLength: 1
  25098. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25099. type: string
  25100. type: object
  25101. username:
  25102. description: |-
  25103. Username is an LDAP username used to authenticate using the LDAP Vault
  25104. authentication method
  25105. type: string
  25106. required:
  25107. - path
  25108. - username
  25109. type: object
  25110. namespace:
  25111. description: |-
  25112. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  25113. Namespaces is a set of features within Vault Enterprise that allows
  25114. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25115. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25116. This will default to Vault.Namespace field if set, or empty otherwise
  25117. type: string
  25118. tokenSecretRef:
  25119. description: TokenSecretRef authenticates with Vault by presenting a token.
  25120. properties:
  25121. key:
  25122. description: |-
  25123. A key in the referenced Secret.
  25124. Some instances of this field may be defaulted, in others it may be required.
  25125. maxLength: 253
  25126. minLength: 1
  25127. pattern: ^[-._a-zA-Z0-9]+$
  25128. type: string
  25129. name:
  25130. description: The name of the Secret resource being referred to.
  25131. maxLength: 253
  25132. minLength: 1
  25133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25134. type: string
  25135. namespace:
  25136. description: |-
  25137. The namespace of the Secret resource being referred to.
  25138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25139. maxLength: 63
  25140. minLength: 1
  25141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25142. type: string
  25143. type: object
  25144. userPass:
  25145. description: UserPass authenticates with Vault by passing username/password pair
  25146. properties:
  25147. path:
  25148. default: userpass
  25149. description: |-
  25150. Path where the UserPassword authentication backend is mounted
  25151. in Vault, e.g: "userpass"
  25152. type: string
  25153. secretRef:
  25154. description: |-
  25155. SecretRef to a key in a Secret resource containing password for the
  25156. user used to authenticate with Vault using the UserPass authentication
  25157. method
  25158. properties:
  25159. key:
  25160. description: |-
  25161. A key in the referenced Secret.
  25162. Some instances of this field may be defaulted, in others it may be required.
  25163. maxLength: 253
  25164. minLength: 1
  25165. pattern: ^[-._a-zA-Z0-9]+$
  25166. type: string
  25167. name:
  25168. description: The name of the Secret resource being referred to.
  25169. maxLength: 253
  25170. minLength: 1
  25171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25172. type: string
  25173. namespace:
  25174. description: |-
  25175. The namespace of the Secret resource being referred to.
  25176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25177. maxLength: 63
  25178. minLength: 1
  25179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25180. type: string
  25181. type: object
  25182. username:
  25183. description: |-
  25184. Username is a username used to authenticate using the UserPass Vault
  25185. authentication method
  25186. type: string
  25187. required:
  25188. - path
  25189. - username
  25190. type: object
  25191. type: object
  25192. caBundle:
  25193. description: |-
  25194. PEM encoded CA bundle used to validate Vault server certificate. Only used
  25195. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25196. plain HTTP protocol connection. If not set the system root certificates
  25197. are used to validate the TLS connection.
  25198. format: byte
  25199. type: string
  25200. caProvider:
  25201. description: The provider for the CA bundle to use to validate Vault server certificate.
  25202. properties:
  25203. key:
  25204. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25205. maxLength: 253
  25206. minLength: 1
  25207. pattern: ^[-._a-zA-Z0-9]+$
  25208. type: string
  25209. name:
  25210. description: The name of the object located at the provider type.
  25211. maxLength: 253
  25212. minLength: 1
  25213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25214. type: string
  25215. namespace:
  25216. description: |-
  25217. The namespace the Provider type is in.
  25218. Can only be defined when used in a ClusterSecretStore.
  25219. maxLength: 63
  25220. minLength: 1
  25221. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25222. type: string
  25223. type:
  25224. description: The type of provider to use such as "Secret", or "ConfigMap".
  25225. enum:
  25226. - Secret
  25227. - ConfigMap
  25228. type: string
  25229. required:
  25230. - name
  25231. - type
  25232. type: object
  25233. forwardInconsistent:
  25234. description: |-
  25235. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  25236. leader instead of simply retrying within a loop. This can increase performance if
  25237. the option is enabled serverside.
  25238. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  25239. type: boolean
  25240. headers:
  25241. additionalProperties:
  25242. type: string
  25243. description: Headers to be added in Vault request
  25244. type: object
  25245. namespace:
  25246. description: |-
  25247. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  25248. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25249. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25250. type: string
  25251. path:
  25252. description: |-
  25253. Path is the mount path of the Vault KV backend endpoint, e.g:
  25254. "secret". The v2 KV secret engine version specific "/data" path suffix
  25255. for fetching secrets from Vault is optional and will be appended
  25256. if not present in specified path.
  25257. type: string
  25258. readYourWrites:
  25259. description: |-
  25260. ReadYourWrites ensures isolated read-after-write semantics by
  25261. providing discovered cluster replication states in each request.
  25262. More information about eventual consistency in Vault can be found here
  25263. https://www.vaultproject.io/docs/enterprise/consistency
  25264. type: boolean
  25265. server:
  25266. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  25267. type: string
  25268. tls:
  25269. description: |-
  25270. The configuration used for client side related TLS communication, when the Vault server
  25271. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  25272. This parameter is ignored for plain HTTP protocol connection.
  25273. It's worth noting this configuration is different from the "TLS certificates auth method",
  25274. which is available under the `auth.cert` section.
  25275. properties:
  25276. certSecretRef:
  25277. description: |-
  25278. CertSecretRef is a certificate added to the transport layer
  25279. when communicating with the Vault server.
  25280. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  25281. properties:
  25282. key:
  25283. description: |-
  25284. A key in the referenced Secret.
  25285. Some instances of this field may be defaulted, in others it may be required.
  25286. maxLength: 253
  25287. minLength: 1
  25288. pattern: ^[-._a-zA-Z0-9]+$
  25289. type: string
  25290. name:
  25291. description: The name of the Secret resource being referred to.
  25292. maxLength: 253
  25293. minLength: 1
  25294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25295. type: string
  25296. namespace:
  25297. description: |-
  25298. The namespace of the Secret resource being referred to.
  25299. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25300. maxLength: 63
  25301. minLength: 1
  25302. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25303. type: string
  25304. type: object
  25305. keySecretRef:
  25306. description: |-
  25307. KeySecretRef to a key in a Secret resource containing client private key
  25308. added to the transport layer when communicating with the Vault server.
  25309. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  25310. properties:
  25311. key:
  25312. description: |-
  25313. A key in the referenced Secret.
  25314. Some instances of this field may be defaulted, in others it may be required.
  25315. maxLength: 253
  25316. minLength: 1
  25317. pattern: ^[-._a-zA-Z0-9]+$
  25318. type: string
  25319. name:
  25320. description: The name of the Secret resource being referred to.
  25321. maxLength: 253
  25322. minLength: 1
  25323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25324. type: string
  25325. namespace:
  25326. description: |-
  25327. The namespace of the Secret resource being referred to.
  25328. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25329. maxLength: 63
  25330. minLength: 1
  25331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25332. type: string
  25333. type: object
  25334. type: object
  25335. version:
  25336. default: v2
  25337. description: |-
  25338. Version is the Vault KV secret engine version. This can be either "v1" or
  25339. "v2". Version defaults to "v2".
  25340. enum:
  25341. - v1
  25342. - v2
  25343. type: string
  25344. required:
  25345. - server
  25346. type: object
  25347. webhook:
  25348. description: Webhook configures this store to sync secrets using a generic templated webhook
  25349. properties:
  25350. auth:
  25351. description: Auth specifies a authorization protocol. Only one protocol may be set.
  25352. maxProperties: 1
  25353. minProperties: 1
  25354. properties:
  25355. ntlm:
  25356. description: NTLMProtocol configures the store to use NTLM for auth
  25357. properties:
  25358. passwordSecret:
  25359. description: |-
  25360. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25361. In some instances, `key` is a required field.
  25362. properties:
  25363. key:
  25364. description: |-
  25365. A key in the referenced Secret.
  25366. Some instances of this field may be defaulted, in others it may be required.
  25367. maxLength: 253
  25368. minLength: 1
  25369. pattern: ^[-._a-zA-Z0-9]+$
  25370. type: string
  25371. name:
  25372. description: The name of the Secret resource being referred to.
  25373. maxLength: 253
  25374. minLength: 1
  25375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25376. type: string
  25377. namespace:
  25378. description: |-
  25379. The namespace of the Secret resource being referred to.
  25380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25381. maxLength: 63
  25382. minLength: 1
  25383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25384. type: string
  25385. type: object
  25386. usernameSecret:
  25387. description: |-
  25388. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25389. In some instances, `key` is a required field.
  25390. properties:
  25391. key:
  25392. description: |-
  25393. A key in the referenced Secret.
  25394. Some instances of this field may be defaulted, in others it may be required.
  25395. maxLength: 253
  25396. minLength: 1
  25397. pattern: ^[-._a-zA-Z0-9]+$
  25398. type: string
  25399. name:
  25400. description: The name of the Secret resource being referred to.
  25401. maxLength: 253
  25402. minLength: 1
  25403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25404. type: string
  25405. namespace:
  25406. description: |-
  25407. The namespace of the Secret resource being referred to.
  25408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25409. maxLength: 63
  25410. minLength: 1
  25411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25412. type: string
  25413. type: object
  25414. required:
  25415. - passwordSecret
  25416. - usernameSecret
  25417. type: object
  25418. type: object
  25419. body:
  25420. description: Body
  25421. type: string
  25422. caBundle:
  25423. description: |-
  25424. PEM encoded CA bundle used to validate webhook server certificate. Only used
  25425. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25426. plain HTTP protocol connection. If not set the system root certificates
  25427. are used to validate the TLS connection.
  25428. format: byte
  25429. type: string
  25430. caProvider:
  25431. description: The provider for the CA bundle to use to validate webhook server certificate.
  25432. properties:
  25433. key:
  25434. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25435. maxLength: 253
  25436. minLength: 1
  25437. pattern: ^[-._a-zA-Z0-9]+$
  25438. type: string
  25439. name:
  25440. description: The name of the object located at the provider type.
  25441. maxLength: 253
  25442. minLength: 1
  25443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25444. type: string
  25445. namespace:
  25446. description: The namespace the Provider type is in.
  25447. maxLength: 63
  25448. minLength: 1
  25449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25450. type: string
  25451. type:
  25452. description: The type of provider to use such as "Secret", or "ConfigMap".
  25453. enum:
  25454. - Secret
  25455. - ConfigMap
  25456. type: string
  25457. required:
  25458. - name
  25459. - type
  25460. type: object
  25461. headers:
  25462. additionalProperties:
  25463. type: string
  25464. description: Headers
  25465. type: object
  25466. method:
  25467. description: Webhook Method
  25468. type: string
  25469. result:
  25470. description: Result formatting
  25471. properties:
  25472. jsonPath:
  25473. description: Json path of return value
  25474. type: string
  25475. type: object
  25476. secrets:
  25477. description: |-
  25478. Secrets to fill in templates
  25479. These secrets will be passed to the templating function as key value pairs under the given name
  25480. items:
  25481. description: WebhookSecret defines a secret to be used in webhook templates.
  25482. properties:
  25483. name:
  25484. description: Name of this secret in templates
  25485. type: string
  25486. secretRef:
  25487. description: Secret ref to fill in credentials
  25488. properties:
  25489. key:
  25490. description: |-
  25491. A key in the referenced Secret.
  25492. Some instances of this field may be defaulted, in others it may be required.
  25493. maxLength: 253
  25494. minLength: 1
  25495. pattern: ^[-._a-zA-Z0-9]+$
  25496. type: string
  25497. name:
  25498. description: The name of the Secret resource being referred to.
  25499. maxLength: 253
  25500. minLength: 1
  25501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25502. type: string
  25503. namespace:
  25504. description: |-
  25505. The namespace of the Secret resource being referred to.
  25506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25507. maxLength: 63
  25508. minLength: 1
  25509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25510. type: string
  25511. type: object
  25512. required:
  25513. - name
  25514. - secretRef
  25515. type: object
  25516. type: array
  25517. timeout:
  25518. description: Timeout
  25519. type: string
  25520. url:
  25521. description: Webhook url to call
  25522. type: string
  25523. required:
  25524. - result
  25525. - url
  25526. type: object
  25527. yandexcertificatemanager:
  25528. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  25529. properties:
  25530. apiEndpoint:
  25531. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25532. type: string
  25533. auth:
  25534. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  25535. properties:
  25536. authorizedKeySecretRef:
  25537. description: The authorized key used for authentication
  25538. properties:
  25539. key:
  25540. description: |-
  25541. A key in the referenced Secret.
  25542. Some instances of this field may be defaulted, in others it may be required.
  25543. maxLength: 253
  25544. minLength: 1
  25545. pattern: ^[-._a-zA-Z0-9]+$
  25546. type: string
  25547. name:
  25548. description: The name of the Secret resource being referred to.
  25549. maxLength: 253
  25550. minLength: 1
  25551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25552. type: string
  25553. namespace:
  25554. description: |-
  25555. The namespace of the Secret resource being referred to.
  25556. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25557. maxLength: 63
  25558. minLength: 1
  25559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25560. type: string
  25561. type: object
  25562. type: object
  25563. caProvider:
  25564. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25565. properties:
  25566. certSecretRef:
  25567. description: |-
  25568. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25569. In some instances, `key` is a required field.
  25570. properties:
  25571. key:
  25572. description: |-
  25573. A key in the referenced Secret.
  25574. Some instances of this field may be defaulted, in others it may be required.
  25575. maxLength: 253
  25576. minLength: 1
  25577. pattern: ^[-._a-zA-Z0-9]+$
  25578. type: string
  25579. name:
  25580. description: The name of the Secret resource being referred to.
  25581. maxLength: 253
  25582. minLength: 1
  25583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25584. type: string
  25585. namespace:
  25586. description: |-
  25587. The namespace of the Secret resource being referred to.
  25588. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25589. maxLength: 63
  25590. minLength: 1
  25591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25592. type: string
  25593. type: object
  25594. type: object
  25595. required:
  25596. - auth
  25597. type: object
  25598. yandexlockbox:
  25599. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  25600. properties:
  25601. apiEndpoint:
  25602. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25603. type: string
  25604. auth:
  25605. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  25606. properties:
  25607. authorizedKeySecretRef:
  25608. description: The authorized key used for authentication
  25609. properties:
  25610. key:
  25611. description: |-
  25612. A key in the referenced Secret.
  25613. Some instances of this field may be defaulted, in others it may be required.
  25614. maxLength: 253
  25615. minLength: 1
  25616. pattern: ^[-._a-zA-Z0-9]+$
  25617. type: string
  25618. name:
  25619. description: The name of the Secret resource being referred to.
  25620. maxLength: 253
  25621. minLength: 1
  25622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25623. type: string
  25624. namespace:
  25625. description: |-
  25626. The namespace of the Secret resource being referred to.
  25627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25628. maxLength: 63
  25629. minLength: 1
  25630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25631. type: string
  25632. type: object
  25633. type: object
  25634. caProvider:
  25635. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25636. properties:
  25637. certSecretRef:
  25638. description: |-
  25639. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25640. In some instances, `key` is a required field.
  25641. properties:
  25642. key:
  25643. description: |-
  25644. A key in the referenced Secret.
  25645. Some instances of this field may be defaulted, in others it may be required.
  25646. maxLength: 253
  25647. minLength: 1
  25648. pattern: ^[-._a-zA-Z0-9]+$
  25649. type: string
  25650. name:
  25651. description: The name of the Secret resource being referred to.
  25652. maxLength: 253
  25653. minLength: 1
  25654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25655. type: string
  25656. namespace:
  25657. description: |-
  25658. The namespace of the Secret resource being referred to.
  25659. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25660. maxLength: 63
  25661. minLength: 1
  25662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25663. type: string
  25664. type: object
  25665. type: object
  25666. required:
  25667. - auth
  25668. type: object
  25669. type: object
  25670. refreshInterval:
  25671. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  25672. type: integer
  25673. retrySettings:
  25674. description: Used to configure HTTP retries on failures.
  25675. properties:
  25676. maxRetries:
  25677. description: MaxRetries is the maximum number of retry attempts.
  25678. format: int32
  25679. type: integer
  25680. retryInterval:
  25681. description: RetryInterval is the interval between retry attempts.
  25682. type: string
  25683. type: object
  25684. required:
  25685. - provider
  25686. type: object
  25687. status:
  25688. description: SecretStoreStatus defines the observed state of the SecretStore.
  25689. properties:
  25690. capabilities:
  25691. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  25692. type: string
  25693. conditions:
  25694. items:
  25695. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  25696. properties:
  25697. lastTransitionTime:
  25698. format: date-time
  25699. type: string
  25700. message:
  25701. type: string
  25702. reason:
  25703. type: string
  25704. status:
  25705. type: string
  25706. type:
  25707. description: SecretStoreConditionType represents the condition type of the SecretStore.
  25708. type: string
  25709. required:
  25710. - status
  25711. - type
  25712. type: object
  25713. type: array
  25714. type: object
  25715. type: object
  25716. served: false
  25717. storage: false
  25718. subresources:
  25719. status: {}
  25720. ---
  25721. apiVersion: apiextensions.k8s.io/v1
  25722. kind: CustomResourceDefinition
  25723. metadata:
  25724. annotations:
  25725. controller-gen.kubebuilder.io/version: v0.19.0
  25726. labels:
  25727. external-secrets.io/component: controller
  25728. name: acraccesstokens.generators.external-secrets.io
  25729. spec:
  25730. group: generators.external-secrets.io
  25731. names:
  25732. categories:
  25733. - external-secrets
  25734. - external-secrets-generators
  25735. kind: ACRAccessToken
  25736. listKind: ACRAccessTokenList
  25737. plural: acraccesstokens
  25738. singular: acraccesstoken
  25739. scope: Namespaced
  25740. versions:
  25741. - name: v1alpha1
  25742. schema:
  25743. openAPIV3Schema:
  25744. description: |-
  25745. ACRAccessToken returns an Azure Container Registry token
  25746. that can be used for pushing/pulling images.
  25747. Note: by default it will return an ACR Refresh Token with full access
  25748. (depending on the identity).
  25749. This can be scoped down to the repository level using .spec.scope.
  25750. In case scope is defined it will return an ACR Access Token.
  25751. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  25752. properties:
  25753. apiVersion:
  25754. description: |-
  25755. APIVersion defines the versioned schema of this representation of an object.
  25756. Servers should convert recognized schemas to the latest internal value, and
  25757. may reject unrecognized values.
  25758. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25759. type: string
  25760. kind:
  25761. description: |-
  25762. Kind is a string value representing the REST resource this object represents.
  25763. Servers may infer this from the endpoint the client submits requests to.
  25764. Cannot be updated.
  25765. In CamelCase.
  25766. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25767. type: string
  25768. metadata:
  25769. type: object
  25770. spec:
  25771. description: |-
  25772. ACRAccessTokenSpec defines how to generate the access token
  25773. e.g. how to authenticate and which registry to use.
  25774. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25775. properties:
  25776. auth:
  25777. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25778. properties:
  25779. managedIdentity:
  25780. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25781. properties:
  25782. identityId:
  25783. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25784. type: string
  25785. type: object
  25786. servicePrincipal:
  25787. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25788. properties:
  25789. secretRef:
  25790. description: |-
  25791. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25792. It uses static credentials stored in a Kind=Secret.
  25793. properties:
  25794. clientId:
  25795. description: The Azure clientId of the service principle used for authentication.
  25796. properties:
  25797. key:
  25798. description: |-
  25799. A key in the referenced Secret.
  25800. Some instances of this field may be defaulted, in others it may be required.
  25801. maxLength: 253
  25802. minLength: 1
  25803. pattern: ^[-._a-zA-Z0-9]+$
  25804. type: string
  25805. name:
  25806. description: The name of the Secret resource being referred to.
  25807. maxLength: 253
  25808. minLength: 1
  25809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25810. type: string
  25811. namespace:
  25812. description: |-
  25813. The namespace of the Secret resource being referred to.
  25814. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25815. maxLength: 63
  25816. minLength: 1
  25817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25818. type: string
  25819. type: object
  25820. clientSecret:
  25821. description: The Azure ClientSecret of the service principle used for authentication.
  25822. properties:
  25823. key:
  25824. description: |-
  25825. A key in the referenced Secret.
  25826. Some instances of this field may be defaulted, in others it may be required.
  25827. maxLength: 253
  25828. minLength: 1
  25829. pattern: ^[-._a-zA-Z0-9]+$
  25830. type: string
  25831. name:
  25832. description: The name of the Secret resource being referred to.
  25833. maxLength: 253
  25834. minLength: 1
  25835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25836. type: string
  25837. namespace:
  25838. description: |-
  25839. The namespace of the Secret resource being referred to.
  25840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25841. maxLength: 63
  25842. minLength: 1
  25843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25844. type: string
  25845. type: object
  25846. type: object
  25847. required:
  25848. - secretRef
  25849. type: object
  25850. workloadIdentity:
  25851. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25852. properties:
  25853. serviceAccountRef:
  25854. description: |-
  25855. ServiceAccountRef specified the service account
  25856. that should be used when authenticating with WorkloadIdentity.
  25857. properties:
  25858. audiences:
  25859. description: |-
  25860. Audience specifies the `aud` claim for the service account token
  25861. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25862. then this audiences will be appended to the list
  25863. items:
  25864. type: string
  25865. type: array
  25866. name:
  25867. description: The name of the ServiceAccount resource being referred to.
  25868. maxLength: 253
  25869. minLength: 1
  25870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25871. type: string
  25872. namespace:
  25873. description: |-
  25874. Namespace of the resource being referred to.
  25875. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25876. maxLength: 63
  25877. minLength: 1
  25878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25879. type: string
  25880. required:
  25881. - name
  25882. type: object
  25883. type: object
  25884. type: object
  25885. environmentType:
  25886. default: PublicCloud
  25887. description: |-
  25888. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25889. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25890. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25891. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25892. enum:
  25893. - PublicCloud
  25894. - USGovernmentCloud
  25895. - ChinaCloud
  25896. - GermanCloud
  25897. - AzureStackCloud
  25898. type: string
  25899. registry:
  25900. description: |-
  25901. the domain name of the ACR registry
  25902. e.g. foobarexample.azurecr.io
  25903. type: string
  25904. scope:
  25905. description: |-
  25906. Define the scope for the access token, e.g. pull/push access for a repository.
  25907. if not provided it will return a refresh token that has full scope.
  25908. Note: you need to pin it down to the repository level, there is no wildcard available.
  25909. examples:
  25910. repository:my-repository:pull,push
  25911. repository:my-repository:pull
  25912. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25913. type: string
  25914. tenantId:
  25915. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25916. type: string
  25917. required:
  25918. - auth
  25919. - registry
  25920. type: object
  25921. type: object
  25922. served: true
  25923. storage: true
  25924. subresources:
  25925. status: {}
  25926. ---
  25927. apiVersion: apiextensions.k8s.io/v1
  25928. kind: CustomResourceDefinition
  25929. metadata:
  25930. annotations:
  25931. controller-gen.kubebuilder.io/version: v0.19.0
  25932. labels:
  25933. external-secrets.io/component: controller
  25934. name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
  25935. spec:
  25936. group: generators.external-secrets.io
  25937. names:
  25938. categories:
  25939. - external-secrets
  25940. - external-secrets-generators
  25941. kind: BeyondtrustWorkloadCredentialsDynamicSecret
  25942. listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
  25943. plural: beyondtrustworkloadcredentialsdynamicsecrets
  25944. singular: beyondtrustworkloadcredentialsdynamicsecret
  25945. scope: Namespaced
  25946. versions:
  25947. - name: v1alpha1
  25948. schema:
  25949. openAPIV3Schema:
  25950. description: |-
  25951. BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
  25952. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
  25953. (such as AWS STS credentials) each time an ExternalSecret is refreshed.
  25954. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
  25955. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25956. properties:
  25957. apiVersion:
  25958. description: |-
  25959. APIVersion defines the versioned schema of this representation of an object.
  25960. Servers should convert recognized schemas to the latest internal value, and
  25961. may reject unrecognized values.
  25962. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25963. type: string
  25964. kind:
  25965. description: |-
  25966. Kind is a string value representing the REST resource this object represents.
  25967. Servers may infer this from the endpoint the client submits requests to.
  25968. Cannot be updated.
  25969. In CamelCase.
  25970. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25971. type: string
  25972. metadata:
  25973. type: object
  25974. spec:
  25975. description: |-
  25976. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  25977. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  25978. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25979. properties:
  25980. controller:
  25981. description: |-
  25982. Controller selects the controller that should handle this generator.
  25983. Leave empty to use the default controller.
  25984. type: string
  25985. provider:
  25986. description: |-
  25987. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  25988. server connection details, and the folder path to the dynamic secret definition.
  25989. The folderPath should point to a dynamic secret definition that has been created in
  25990. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  25991. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25992. properties:
  25993. auth:
  25994. description: |-
  25995. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  25996. Currently supports API key authentication via Kubernetes secret reference.
  25997. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25998. properties:
  25999. apikey:
  26000. description: |-
  26001. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26002. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26003. properties:
  26004. token:
  26005. description: |-
  26006. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26007. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26008. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26009. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26010. properties:
  26011. key:
  26012. description: |-
  26013. A key in the referenced Secret.
  26014. Some instances of this field may be defaulted, in others it may be required.
  26015. maxLength: 253
  26016. minLength: 1
  26017. pattern: ^[-._a-zA-Z0-9]+$
  26018. type: string
  26019. name:
  26020. description: The name of the Secret resource being referred to.
  26021. maxLength: 253
  26022. minLength: 1
  26023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26024. type: string
  26025. namespace:
  26026. description: |-
  26027. The namespace of the Secret resource being referred to.
  26028. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26029. maxLength: 63
  26030. minLength: 1
  26031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26032. type: string
  26033. type: object
  26034. required:
  26035. - token
  26036. type: object
  26037. required:
  26038. - apikey
  26039. type: object
  26040. caBundle:
  26041. description: |-
  26042. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26043. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26044. If not set, the system's trusted root certificates are used.
  26045. format: byte
  26046. type: string
  26047. caProvider:
  26048. description: |-
  26049. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26050. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26051. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26052. properties:
  26053. key:
  26054. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26055. maxLength: 253
  26056. minLength: 1
  26057. pattern: ^[-._a-zA-Z0-9]+$
  26058. type: string
  26059. name:
  26060. description: The name of the object located at the provider type.
  26061. maxLength: 253
  26062. minLength: 1
  26063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26064. type: string
  26065. namespace:
  26066. description: |-
  26067. The namespace the Provider type is in.
  26068. Can only be defined when used in a ClusterSecretStore.
  26069. maxLength: 63
  26070. minLength: 1
  26071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26072. type: string
  26073. type:
  26074. description: The type of provider to use such as "Secret", or "ConfigMap".
  26075. enum:
  26076. - Secret
  26077. - ConfigMap
  26078. type: string
  26079. required:
  26080. - name
  26081. - type
  26082. type: object
  26083. folderPath:
  26084. description: |-
  26085. FolderPath specifies the default folder path for secret retrieval.
  26086. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26087. Example: "production/database" or "dev/api-keys"
  26088. Leave empty to retrieve secrets from the root folder.
  26089. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26090. type: string
  26091. server:
  26092. description: |-
  26093. Server configures the BeyondTrust Workload Credentials server connection details.
  26094. Includes the API URL and Site ID for your BeyondTrust instance.
  26095. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26096. properties:
  26097. apiUrl:
  26098. description: |-
  26099. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26100. This should be the full URL to your BeyondTrust instance.
  26101. Example: https://api.beyondtrust.io/siie
  26102. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26103. type: string
  26104. siteId:
  26105. description: |-
  26106. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26107. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26108. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26109. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26110. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26111. type: string
  26112. required:
  26113. - apiUrl
  26114. - siteId
  26115. type: object
  26116. required:
  26117. - auth
  26118. - server
  26119. type: object
  26120. retrySettings:
  26121. description: |-
  26122. RetrySettings configures exponential backoff for failed API requests.
  26123. If not specified, uses the default retry settings.
  26124. properties:
  26125. maxRetries:
  26126. format: int32
  26127. type: integer
  26128. retryInterval:
  26129. type: string
  26130. type: object
  26131. required:
  26132. - provider
  26133. type: object
  26134. type: object
  26135. served: true
  26136. storage: true
  26137. subresources:
  26138. status: {}
  26139. ---
  26140. apiVersion: apiextensions.k8s.io/v1
  26141. kind: CustomResourceDefinition
  26142. metadata:
  26143. annotations:
  26144. controller-gen.kubebuilder.io/version: v0.19.0
  26145. labels:
  26146. external-secrets.io/component: controller
  26147. name: cloudsmithaccesstokens.generators.external-secrets.io
  26148. spec:
  26149. group: generators.external-secrets.io
  26150. names:
  26151. categories:
  26152. - external-secrets
  26153. - external-secrets-generators
  26154. kind: CloudsmithAccessToken
  26155. listKind: CloudsmithAccessTokenList
  26156. plural: cloudsmithaccesstokens
  26157. singular: cloudsmithaccesstoken
  26158. scope: Namespaced
  26159. versions:
  26160. - name: v1alpha1
  26161. schema:
  26162. openAPIV3Schema:
  26163. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  26164. properties:
  26165. apiVersion:
  26166. description: |-
  26167. APIVersion defines the versioned schema of this representation of an object.
  26168. Servers should convert recognized schemas to the latest internal value, and
  26169. may reject unrecognized values.
  26170. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26171. type: string
  26172. kind:
  26173. description: |-
  26174. Kind is a string value representing the REST resource this object represents.
  26175. Servers may infer this from the endpoint the client submits requests to.
  26176. Cannot be updated.
  26177. In CamelCase.
  26178. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26179. type: string
  26180. metadata:
  26181. type: object
  26182. spec:
  26183. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26184. properties:
  26185. apiUrl:
  26186. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26187. type: string
  26188. orgSlug:
  26189. description: OrgSlug is the organization slug in Cloudsmith
  26190. type: string
  26191. serviceAccountRef:
  26192. description: Name of the service account you are federating with
  26193. properties:
  26194. audiences:
  26195. description: |-
  26196. Audience specifies the `aud` claim for the service account token
  26197. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26198. then this audiences will be appended to the list
  26199. items:
  26200. type: string
  26201. type: array
  26202. name:
  26203. description: The name of the ServiceAccount resource being referred to.
  26204. maxLength: 253
  26205. minLength: 1
  26206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26207. type: string
  26208. namespace:
  26209. description: |-
  26210. Namespace of the resource being referred to.
  26211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26212. maxLength: 63
  26213. minLength: 1
  26214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26215. type: string
  26216. required:
  26217. - name
  26218. type: object
  26219. serviceSlug:
  26220. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26221. type: string
  26222. required:
  26223. - orgSlug
  26224. - serviceAccountRef
  26225. - serviceSlug
  26226. type: object
  26227. type: object
  26228. served: true
  26229. storage: true
  26230. subresources:
  26231. status: {}
  26232. ---
  26233. apiVersion: apiextensions.k8s.io/v1
  26234. kind: CustomResourceDefinition
  26235. metadata:
  26236. annotations:
  26237. controller-gen.kubebuilder.io/version: v0.19.0
  26238. labels:
  26239. external-secrets.io/component: controller
  26240. name: clustergenerators.generators.external-secrets.io
  26241. spec:
  26242. group: generators.external-secrets.io
  26243. names:
  26244. categories:
  26245. - external-secrets
  26246. - external-secrets-generators
  26247. kind: ClusterGenerator
  26248. listKind: ClusterGeneratorList
  26249. plural: clustergenerators
  26250. singular: clustergenerator
  26251. scope: Cluster
  26252. versions:
  26253. - name: v1alpha1
  26254. schema:
  26255. openAPIV3Schema:
  26256. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  26257. properties:
  26258. apiVersion:
  26259. description: |-
  26260. APIVersion defines the versioned schema of this representation of an object.
  26261. Servers should convert recognized schemas to the latest internal value, and
  26262. may reject unrecognized values.
  26263. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26264. type: string
  26265. kind:
  26266. description: |-
  26267. Kind is a string value representing the REST resource this object represents.
  26268. Servers may infer this from the endpoint the client submits requests to.
  26269. Cannot be updated.
  26270. In CamelCase.
  26271. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26272. type: string
  26273. metadata:
  26274. type: object
  26275. spec:
  26276. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  26277. properties:
  26278. generator:
  26279. description: Generator the spec for this generator, must match the kind.
  26280. maxProperties: 1
  26281. minProperties: 1
  26282. properties:
  26283. acrAccessTokenSpec:
  26284. description: |-
  26285. ACRAccessTokenSpec defines how to generate the access token
  26286. e.g. how to authenticate and which registry to use.
  26287. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  26288. properties:
  26289. auth:
  26290. description: ACRAuth defines the authentication methods for Azure Container Registry.
  26291. properties:
  26292. managedIdentity:
  26293. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  26294. properties:
  26295. identityId:
  26296. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  26297. type: string
  26298. type: object
  26299. servicePrincipal:
  26300. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  26301. properties:
  26302. secretRef:
  26303. description: |-
  26304. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  26305. It uses static credentials stored in a Kind=Secret.
  26306. properties:
  26307. clientId:
  26308. description: The Azure clientId of the service principle used for authentication.
  26309. properties:
  26310. key:
  26311. description: |-
  26312. A key in the referenced Secret.
  26313. Some instances of this field may be defaulted, in others it may be required.
  26314. maxLength: 253
  26315. minLength: 1
  26316. pattern: ^[-._a-zA-Z0-9]+$
  26317. type: string
  26318. name:
  26319. description: The name of the Secret resource being referred to.
  26320. maxLength: 253
  26321. minLength: 1
  26322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26323. type: string
  26324. namespace:
  26325. description: |-
  26326. The namespace of the Secret resource being referred to.
  26327. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26328. maxLength: 63
  26329. minLength: 1
  26330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26331. type: string
  26332. type: object
  26333. clientSecret:
  26334. description: The Azure ClientSecret of the service principle used for authentication.
  26335. properties:
  26336. key:
  26337. description: |-
  26338. A key in the referenced Secret.
  26339. Some instances of this field may be defaulted, in others it may be required.
  26340. maxLength: 253
  26341. minLength: 1
  26342. pattern: ^[-._a-zA-Z0-9]+$
  26343. type: string
  26344. name:
  26345. description: The name of the Secret resource being referred to.
  26346. maxLength: 253
  26347. minLength: 1
  26348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26349. type: string
  26350. namespace:
  26351. description: |-
  26352. The namespace of the Secret resource being referred to.
  26353. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26354. maxLength: 63
  26355. minLength: 1
  26356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26357. type: string
  26358. type: object
  26359. type: object
  26360. required:
  26361. - secretRef
  26362. type: object
  26363. workloadIdentity:
  26364. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  26365. properties:
  26366. serviceAccountRef:
  26367. description: |-
  26368. ServiceAccountRef specified the service account
  26369. that should be used when authenticating with WorkloadIdentity.
  26370. properties:
  26371. audiences:
  26372. description: |-
  26373. Audience specifies the `aud` claim for the service account token
  26374. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26375. then this audiences will be appended to the list
  26376. items:
  26377. type: string
  26378. type: array
  26379. name:
  26380. description: The name of the ServiceAccount resource being referred to.
  26381. maxLength: 253
  26382. minLength: 1
  26383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26384. type: string
  26385. namespace:
  26386. description: |-
  26387. Namespace of the resource being referred to.
  26388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26389. maxLength: 63
  26390. minLength: 1
  26391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26392. type: string
  26393. required:
  26394. - name
  26395. type: object
  26396. type: object
  26397. type: object
  26398. environmentType:
  26399. default: PublicCloud
  26400. description: |-
  26401. EnvironmentType specifies the Azure cloud environment endpoints to use for
  26402. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  26403. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  26404. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  26405. enum:
  26406. - PublicCloud
  26407. - USGovernmentCloud
  26408. - ChinaCloud
  26409. - GermanCloud
  26410. - AzureStackCloud
  26411. type: string
  26412. registry:
  26413. description: |-
  26414. the domain name of the ACR registry
  26415. e.g. foobarexample.azurecr.io
  26416. type: string
  26417. scope:
  26418. description: |-
  26419. Define the scope for the access token, e.g. pull/push access for a repository.
  26420. if not provided it will return a refresh token that has full scope.
  26421. Note: you need to pin it down to the repository level, there is no wildcard available.
  26422. examples:
  26423. repository:my-repository:pull,push
  26424. repository:my-repository:pull
  26425. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  26426. type: string
  26427. tenantId:
  26428. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  26429. type: string
  26430. required:
  26431. - auth
  26432. - registry
  26433. type: object
  26434. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  26435. description: |-
  26436. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26437. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26438. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26439. properties:
  26440. controller:
  26441. description: |-
  26442. Controller selects the controller that should handle this generator.
  26443. Leave empty to use the default controller.
  26444. type: string
  26445. provider:
  26446. description: |-
  26447. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26448. server connection details, and the folder path to the dynamic secret definition.
  26449. The folderPath should point to a dynamic secret definition that has been created in
  26450. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26451. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26452. properties:
  26453. auth:
  26454. description: |-
  26455. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26456. Currently supports API key authentication via Kubernetes secret reference.
  26457. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26458. properties:
  26459. apikey:
  26460. description: |-
  26461. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26462. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26463. properties:
  26464. token:
  26465. description: |-
  26466. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26467. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26468. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26469. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26470. properties:
  26471. key:
  26472. description: |-
  26473. A key in the referenced Secret.
  26474. Some instances of this field may be defaulted, in others it may be required.
  26475. maxLength: 253
  26476. minLength: 1
  26477. pattern: ^[-._a-zA-Z0-9]+$
  26478. type: string
  26479. name:
  26480. description: The name of the Secret resource being referred to.
  26481. maxLength: 253
  26482. minLength: 1
  26483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26484. type: string
  26485. namespace:
  26486. description: |-
  26487. The namespace of the Secret resource being referred to.
  26488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26489. maxLength: 63
  26490. minLength: 1
  26491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26492. type: string
  26493. type: object
  26494. required:
  26495. - token
  26496. type: object
  26497. required:
  26498. - apikey
  26499. type: object
  26500. caBundle:
  26501. description: |-
  26502. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26503. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26504. If not set, the system's trusted root certificates are used.
  26505. format: byte
  26506. type: string
  26507. caProvider:
  26508. description: |-
  26509. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26510. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26511. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26512. properties:
  26513. key:
  26514. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26515. maxLength: 253
  26516. minLength: 1
  26517. pattern: ^[-._a-zA-Z0-9]+$
  26518. type: string
  26519. name:
  26520. description: The name of the object located at the provider type.
  26521. maxLength: 253
  26522. minLength: 1
  26523. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26524. type: string
  26525. namespace:
  26526. description: |-
  26527. The namespace the Provider type is in.
  26528. Can only be defined when used in a ClusterSecretStore.
  26529. maxLength: 63
  26530. minLength: 1
  26531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26532. type: string
  26533. type:
  26534. description: The type of provider to use such as "Secret", or "ConfigMap".
  26535. enum:
  26536. - Secret
  26537. - ConfigMap
  26538. type: string
  26539. required:
  26540. - name
  26541. - type
  26542. type: object
  26543. folderPath:
  26544. description: |-
  26545. FolderPath specifies the default folder path for secret retrieval.
  26546. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26547. Example: "production/database" or "dev/api-keys"
  26548. Leave empty to retrieve secrets from the root folder.
  26549. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26550. type: string
  26551. server:
  26552. description: |-
  26553. Server configures the BeyondTrust Workload Credentials server connection details.
  26554. Includes the API URL and Site ID for your BeyondTrust instance.
  26555. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26556. properties:
  26557. apiUrl:
  26558. description: |-
  26559. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26560. This should be the full URL to your BeyondTrust instance.
  26561. Example: https://api.beyondtrust.io/siie
  26562. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26563. type: string
  26564. siteId:
  26565. description: |-
  26566. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26567. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26568. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26569. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26570. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26571. type: string
  26572. required:
  26573. - apiUrl
  26574. - siteId
  26575. type: object
  26576. required:
  26577. - auth
  26578. - server
  26579. type: object
  26580. retrySettings:
  26581. description: |-
  26582. RetrySettings configures exponential backoff for failed API requests.
  26583. If not specified, uses the default retry settings.
  26584. properties:
  26585. maxRetries:
  26586. format: int32
  26587. type: integer
  26588. retryInterval:
  26589. type: string
  26590. type: object
  26591. required:
  26592. - provider
  26593. type: object
  26594. cloudsmithAccessTokenSpec:
  26595. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26596. properties:
  26597. apiUrl:
  26598. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26599. type: string
  26600. orgSlug:
  26601. description: OrgSlug is the organization slug in Cloudsmith
  26602. type: string
  26603. serviceAccountRef:
  26604. description: Name of the service account you are federating with
  26605. properties:
  26606. audiences:
  26607. description: |-
  26608. Audience specifies the `aud` claim for the service account token
  26609. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26610. then this audiences will be appended to the list
  26611. items:
  26612. type: string
  26613. type: array
  26614. name:
  26615. description: The name of the ServiceAccount resource being referred to.
  26616. maxLength: 253
  26617. minLength: 1
  26618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26619. type: string
  26620. namespace:
  26621. description: |-
  26622. Namespace of the resource being referred to.
  26623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26624. maxLength: 63
  26625. minLength: 1
  26626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26627. type: string
  26628. required:
  26629. - name
  26630. type: object
  26631. serviceSlug:
  26632. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26633. type: string
  26634. required:
  26635. - orgSlug
  26636. - serviceAccountRef
  26637. - serviceSlug
  26638. type: object
  26639. ecrAuthorizationTokenSpec:
  26640. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  26641. properties:
  26642. auth:
  26643. description: Auth defines how to authenticate with AWS
  26644. properties:
  26645. jwt:
  26646. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26647. properties:
  26648. serviceAccountRef:
  26649. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26650. properties:
  26651. audiences:
  26652. description: |-
  26653. Audience specifies the `aud` claim for the service account token
  26654. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26655. then this audiences will be appended to the list
  26656. items:
  26657. type: string
  26658. type: array
  26659. name:
  26660. description: The name of the ServiceAccount resource being referred to.
  26661. maxLength: 253
  26662. minLength: 1
  26663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26664. type: string
  26665. namespace:
  26666. description: |-
  26667. Namespace of the resource being referred to.
  26668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26669. maxLength: 63
  26670. minLength: 1
  26671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26672. type: string
  26673. required:
  26674. - name
  26675. type: object
  26676. type: object
  26677. secretRef:
  26678. description: |-
  26679. AWSAuthSecretRef holds secret references for AWS credentials
  26680. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26681. properties:
  26682. accessKeyIDSecretRef:
  26683. description: The AccessKeyID is used for authentication
  26684. properties:
  26685. key:
  26686. description: |-
  26687. A key in the referenced Secret.
  26688. Some instances of this field may be defaulted, in others it may be required.
  26689. maxLength: 253
  26690. minLength: 1
  26691. pattern: ^[-._a-zA-Z0-9]+$
  26692. type: string
  26693. name:
  26694. description: The name of the Secret resource being referred to.
  26695. maxLength: 253
  26696. minLength: 1
  26697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26698. type: string
  26699. namespace:
  26700. description: |-
  26701. The namespace of the Secret resource being referred to.
  26702. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26703. maxLength: 63
  26704. minLength: 1
  26705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26706. type: string
  26707. type: object
  26708. secretAccessKeySecretRef:
  26709. description: The SecretAccessKey is used for authentication
  26710. properties:
  26711. key:
  26712. description: |-
  26713. A key in the referenced Secret.
  26714. Some instances of this field may be defaulted, in others it may be required.
  26715. maxLength: 253
  26716. minLength: 1
  26717. pattern: ^[-._a-zA-Z0-9]+$
  26718. type: string
  26719. name:
  26720. description: The name of the Secret resource being referred to.
  26721. maxLength: 253
  26722. minLength: 1
  26723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26724. type: string
  26725. namespace:
  26726. description: |-
  26727. The namespace of the Secret resource being referred to.
  26728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26729. maxLength: 63
  26730. minLength: 1
  26731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26732. type: string
  26733. type: object
  26734. sessionTokenSecretRef:
  26735. description: |-
  26736. The SessionToken used for authentication
  26737. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26738. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26739. properties:
  26740. key:
  26741. description: |-
  26742. A key in the referenced Secret.
  26743. Some instances of this field may be defaulted, in others it may be required.
  26744. maxLength: 253
  26745. minLength: 1
  26746. pattern: ^[-._a-zA-Z0-9]+$
  26747. type: string
  26748. name:
  26749. description: The name of the Secret resource being referred to.
  26750. maxLength: 253
  26751. minLength: 1
  26752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26753. type: string
  26754. namespace:
  26755. description: |-
  26756. The namespace of the Secret resource being referred to.
  26757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26758. maxLength: 63
  26759. minLength: 1
  26760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26761. type: string
  26762. type: object
  26763. type: object
  26764. type: object
  26765. region:
  26766. description: Region specifies the region to operate in.
  26767. type: string
  26768. role:
  26769. description: |-
  26770. You can assume a role before making calls to the
  26771. desired AWS service.
  26772. type: string
  26773. scope:
  26774. description: |-
  26775. Scope specifies the ECR service scope.
  26776. Valid options are private and public.
  26777. type: string
  26778. required:
  26779. - region
  26780. type: object
  26781. fakeSpec:
  26782. description: FakeSpec contains the static data.
  26783. properties:
  26784. controller:
  26785. description: |-
  26786. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26787. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26788. type: string
  26789. data:
  26790. additionalProperties:
  26791. type: string
  26792. description: |-
  26793. Data defines the static data returned
  26794. by this generator.
  26795. type: object
  26796. type: object
  26797. gcrAccessTokenSpec:
  26798. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  26799. properties:
  26800. auth:
  26801. description: Auth defines the means for authenticating with GCP
  26802. properties:
  26803. secretRef:
  26804. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  26805. properties:
  26806. secretAccessKeySecretRef:
  26807. description: The SecretAccessKey is used for authentication
  26808. properties:
  26809. key:
  26810. description: |-
  26811. A key in the referenced Secret.
  26812. Some instances of this field may be defaulted, in others it may be required.
  26813. maxLength: 253
  26814. minLength: 1
  26815. pattern: ^[-._a-zA-Z0-9]+$
  26816. type: string
  26817. name:
  26818. description: The name of the Secret resource being referred to.
  26819. maxLength: 253
  26820. minLength: 1
  26821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26822. type: string
  26823. namespace:
  26824. description: |-
  26825. The namespace of the Secret resource being referred to.
  26826. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26827. maxLength: 63
  26828. minLength: 1
  26829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26830. type: string
  26831. type: object
  26832. type: object
  26833. workloadIdentity:
  26834. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  26835. properties:
  26836. clusterLocation:
  26837. type: string
  26838. clusterName:
  26839. type: string
  26840. clusterProjectID:
  26841. type: string
  26842. serviceAccountRef:
  26843. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26844. properties:
  26845. audiences:
  26846. description: |-
  26847. Audience specifies the `aud` claim for the service account token
  26848. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26849. then this audiences will be appended to the list
  26850. items:
  26851. type: string
  26852. type: array
  26853. name:
  26854. description: The name of the ServiceAccount resource being referred to.
  26855. maxLength: 253
  26856. minLength: 1
  26857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26858. type: string
  26859. namespace:
  26860. description: |-
  26861. Namespace of the resource being referred to.
  26862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26863. maxLength: 63
  26864. minLength: 1
  26865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26866. type: string
  26867. required:
  26868. - name
  26869. type: object
  26870. required:
  26871. - clusterLocation
  26872. - clusterName
  26873. - serviceAccountRef
  26874. type: object
  26875. workloadIdentityFederation:
  26876. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  26877. properties:
  26878. audience:
  26879. description: |-
  26880. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  26881. If specified, Audience found in the external account credential config will be overridden with the configured value.
  26882. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  26883. type: string
  26884. awsSecurityCredentials:
  26885. description: |-
  26886. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  26887. when using the AWS metadata server is not an option.
  26888. properties:
  26889. awsCredentialsSecretRef:
  26890. description: |-
  26891. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  26892. Secret should be created with below names for keys
  26893. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  26894. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  26895. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  26896. properties:
  26897. name:
  26898. description: name of the secret.
  26899. maxLength: 253
  26900. minLength: 1
  26901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26902. type: string
  26903. namespace:
  26904. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  26905. maxLength: 63
  26906. minLength: 1
  26907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26908. type: string
  26909. required:
  26910. - name
  26911. type: object
  26912. region:
  26913. description: region is for configuring the AWS region to be used.
  26914. example: ap-south-1
  26915. maxLength: 50
  26916. minLength: 1
  26917. pattern: ^[a-z0-9-]+$
  26918. type: string
  26919. required:
  26920. - awsCredentialsSecretRef
  26921. - region
  26922. type: object
  26923. credConfig:
  26924. description: |-
  26925. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  26926. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  26927. serviceAccountRef must be used by providing operators service account details.
  26928. properties:
  26929. key:
  26930. description: key name holding the external account credential config.
  26931. maxLength: 253
  26932. minLength: 1
  26933. pattern: ^[-._a-zA-Z0-9]+$
  26934. type: string
  26935. name:
  26936. description: name of the configmap.
  26937. maxLength: 253
  26938. minLength: 1
  26939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26940. type: string
  26941. namespace:
  26942. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  26943. maxLength: 63
  26944. minLength: 1
  26945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26946. type: string
  26947. required:
  26948. - key
  26949. - name
  26950. type: object
  26951. externalTokenEndpoint:
  26952. description: |-
  26953. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  26954. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  26955. URL is having the expected value.
  26956. type: string
  26957. gcpServiceAccountEmail:
  26958. description: |-
  26959. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  26960. after Workload Identity Federation. Use this to grant access through the service account's
  26961. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  26962. service_account_impersonation_url in the external account JSON from credConfig;
  26963. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  26964. on that ServiceAccount.
  26965. example: my-gsa@my-project.iam.gserviceaccount.com
  26966. minLength: 1
  26967. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  26968. type: string
  26969. serviceAccountRef:
  26970. description: |-
  26971. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  26972. when Kubernetes is configured as provider in workload identity pool.
  26973. properties:
  26974. audiences:
  26975. description: |-
  26976. Audience specifies the `aud` claim for the service account token
  26977. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26978. then this audiences will be appended to the list
  26979. items:
  26980. type: string
  26981. type: array
  26982. name:
  26983. description: The name of the ServiceAccount resource being referred to.
  26984. maxLength: 253
  26985. minLength: 1
  26986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26987. type: string
  26988. namespace:
  26989. description: |-
  26990. Namespace of the resource being referred to.
  26991. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26992. maxLength: 63
  26993. minLength: 1
  26994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26995. type: string
  26996. required:
  26997. - name
  26998. type: object
  26999. type: object
  27000. type: object
  27001. projectID:
  27002. description: ProjectID defines which project to use to authenticate with
  27003. type: string
  27004. required:
  27005. - auth
  27006. - projectID
  27007. type: object
  27008. githubAccessTokenSpec:
  27009. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  27010. properties:
  27011. appID:
  27012. type: string
  27013. auth:
  27014. description: Auth configures how ESO authenticates with a Github instance.
  27015. properties:
  27016. privateKey:
  27017. description: GithubSecretRef references a secret containing GitHub credentials.
  27018. properties:
  27019. secretRef:
  27020. description: |-
  27021. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27022. In some instances, `key` is a required field.
  27023. properties:
  27024. key:
  27025. description: |-
  27026. A key in the referenced Secret.
  27027. Some instances of this field may be defaulted, in others it may be required.
  27028. maxLength: 253
  27029. minLength: 1
  27030. pattern: ^[-._a-zA-Z0-9]+$
  27031. type: string
  27032. name:
  27033. description: The name of the Secret resource being referred to.
  27034. maxLength: 253
  27035. minLength: 1
  27036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27037. type: string
  27038. namespace:
  27039. description: |-
  27040. The namespace of the Secret resource being referred to.
  27041. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27042. maxLength: 63
  27043. minLength: 1
  27044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27045. type: string
  27046. type: object
  27047. required:
  27048. - secretRef
  27049. type: object
  27050. required:
  27051. - privateKey
  27052. type: object
  27053. installID:
  27054. type: string
  27055. permissions:
  27056. additionalProperties:
  27057. type: string
  27058. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  27059. type: object
  27060. repositories:
  27061. description: |-
  27062. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  27063. is installed to.
  27064. items:
  27065. type: string
  27066. type: array
  27067. url:
  27068. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  27069. type: string
  27070. required:
  27071. - appID
  27072. - auth
  27073. - installID
  27074. type: object
  27075. gitlabDeployTokenSpec:
  27076. description: GitlabDeployTokenSpec defines the desired state to generate a GitLab deploy token.
  27077. properties:
  27078. auth:
  27079. description: Auth configures how ESO authenticates with the GitLab API.
  27080. properties:
  27081. token:
  27082. description: |-
  27083. Token references a secret containing a GitLab access token (personal, group, or
  27084. project) with the api scope and at least the Maintainer role on the target.
  27085. properties:
  27086. secretRef:
  27087. description: |-
  27088. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27089. In some instances, `key` is a required field.
  27090. properties:
  27091. key:
  27092. description: |-
  27093. A key in the referenced Secret.
  27094. Some instances of this field may be defaulted, in others it may be required.
  27095. maxLength: 253
  27096. minLength: 1
  27097. pattern: ^[-._a-zA-Z0-9]+$
  27098. type: string
  27099. name:
  27100. description: The name of the Secret resource being referred to.
  27101. maxLength: 253
  27102. minLength: 1
  27103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27104. type: string
  27105. namespace:
  27106. description: |-
  27107. The namespace of the Secret resource being referred to.
  27108. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27109. maxLength: 63
  27110. minLength: 1
  27111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27112. type: string
  27113. type: object
  27114. required:
  27115. - secretRef
  27116. type: object
  27117. required:
  27118. - token
  27119. type: object
  27120. expiresAt:
  27121. description: |-
  27122. ExpiresAt is an optional expiry for the deploy token. If omitted the token does
  27123. not expire on the GitLab side and is revoked only when the generator state is
  27124. cleaned up (on regeneration or when the consuming ExternalSecret is deleted).
  27125. format: date-time
  27126. type: string
  27127. groupID:
  27128. description: |-
  27129. GroupID is the numeric ID or unescaped path (e.g. parent/group) of the group to
  27130. create the deploy token in. The generator URL-escapes paths before calling the
  27131. GitLab API, so do not pre-encode. Mutually exclusive with projectID.
  27132. minLength: 1
  27133. type: string
  27134. name:
  27135. description: Name of the deploy token.
  27136. minLength: 1
  27137. type: string
  27138. projectID:
  27139. description: |-
  27140. ProjectID is the numeric ID or unescaped path (e.g. group/project) of the
  27141. project to create the deploy token in. The generator URL-escapes paths before
  27142. calling the GitLab API, so do not pre-encode. Mutually exclusive with groupID.
  27143. minLength: 1
  27144. type: string
  27145. scopes:
  27146. description: Scopes granted to the deploy token. At least one scope is required.
  27147. items:
  27148. description: GitlabDeployTokenScope is a scope that can be granted to a GitLab deploy token.
  27149. enum:
  27150. - read_repository
  27151. - read_registry
  27152. - write_registry
  27153. - read_package_registry
  27154. - write_package_registry
  27155. - read_virtual_registry
  27156. - write_virtual_registry
  27157. type: string
  27158. minItems: 1
  27159. type: array
  27160. url:
  27161. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com.
  27162. type: string
  27163. username:
  27164. description: |-
  27165. Username is an optional username for the deploy token. GitLab defaults it to
  27166. gitlab+deploy-token-{n} when omitted.
  27167. type: string
  27168. required:
  27169. - auth
  27170. - name
  27171. - scopes
  27172. type: object
  27173. x-kubernetes-validations:
  27174. - message: exactly one of projectID or groupID must be set
  27175. rule: has(self.projectID) != has(self.groupID)
  27176. grafanaSpec:
  27177. description: GrafanaSpec controls the behavior of the grafana generator.
  27178. properties:
  27179. auth:
  27180. description: |-
  27181. Auth is the authentication configuration to authenticate
  27182. against the Grafana instance.
  27183. properties:
  27184. basic:
  27185. description: |-
  27186. Basic auth credentials used to authenticate against the Grafana instance.
  27187. Note: you need a token which has elevated permissions to create service accounts.
  27188. See here for the documentation on basic roles offered by Grafana:
  27189. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27190. properties:
  27191. password:
  27192. description: A basic auth password used to authenticate against the Grafana instance.
  27193. properties:
  27194. key:
  27195. description: The key where the token is found.
  27196. maxLength: 253
  27197. minLength: 1
  27198. pattern: ^[-._a-zA-Z0-9]+$
  27199. type: string
  27200. name:
  27201. description: The name of the Secret resource being referred to.
  27202. maxLength: 253
  27203. minLength: 1
  27204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27205. type: string
  27206. type: object
  27207. username:
  27208. description: A basic auth username used to authenticate against the Grafana instance.
  27209. type: string
  27210. required:
  27211. - password
  27212. - username
  27213. type: object
  27214. token:
  27215. description: |-
  27216. A service account token used to authenticate against the Grafana instance.
  27217. Note: you need a token which has elevated permissions to create service accounts.
  27218. See here for the documentation on basic roles offered by Grafana:
  27219. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27220. properties:
  27221. key:
  27222. description: The key where the token is found.
  27223. maxLength: 253
  27224. minLength: 1
  27225. pattern: ^[-._a-zA-Z0-9]+$
  27226. type: string
  27227. name:
  27228. description: The name of the Secret resource being referred to.
  27229. maxLength: 253
  27230. minLength: 1
  27231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27232. type: string
  27233. type: object
  27234. type: object
  27235. serviceAccount:
  27236. description: |-
  27237. ServiceAccount is the configuration for the service account that
  27238. is supposed to be generated by the generator.
  27239. properties:
  27240. name:
  27241. description: Name is the name of the service account that will be created by ESO.
  27242. type: string
  27243. role:
  27244. description: |-
  27245. Role is the role of the service account.
  27246. See here for the documentation on basic roles offered by Grafana:
  27247. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27248. type: string
  27249. required:
  27250. - name
  27251. - role
  27252. type: object
  27253. url:
  27254. description: URL is the URL of the Grafana instance.
  27255. type: string
  27256. required:
  27257. - auth
  27258. - serviceAccount
  27259. - url
  27260. type: object
  27261. mfaSpec:
  27262. description: MFASpec controls the behavior of the mfa generator.
  27263. properties:
  27264. algorithm:
  27265. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  27266. type: string
  27267. length:
  27268. description: Length defines the token length. Defaults to 6 characters.
  27269. type: integer
  27270. secret:
  27271. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  27272. properties:
  27273. key:
  27274. description: |-
  27275. A key in the referenced Secret.
  27276. Some instances of this field may be defaulted, in others it may be required.
  27277. maxLength: 253
  27278. minLength: 1
  27279. pattern: ^[-._a-zA-Z0-9]+$
  27280. type: string
  27281. name:
  27282. description: The name of the Secret resource being referred to.
  27283. maxLength: 253
  27284. minLength: 1
  27285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27286. type: string
  27287. namespace:
  27288. description: |-
  27289. The namespace of the Secret resource being referred to.
  27290. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27291. maxLength: 63
  27292. minLength: 1
  27293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27294. type: string
  27295. type: object
  27296. timePeriod:
  27297. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  27298. type: integer
  27299. when:
  27300. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  27301. format: date-time
  27302. type: string
  27303. required:
  27304. - secret
  27305. type: object
  27306. passwordSpec:
  27307. description: PasswordSpec controls the behavior of the password generator.
  27308. properties:
  27309. allowRepeat:
  27310. default: false
  27311. description: set AllowRepeat to true to allow repeating characters.
  27312. type: boolean
  27313. digits:
  27314. description: |-
  27315. Digits specifies the number of digits in the generated
  27316. password. If omitted it defaults to 25% of the length of the password
  27317. type: integer
  27318. encoding:
  27319. default: raw
  27320. description: |-
  27321. Encoding specifies the encoding of the generated password.
  27322. Valid values are:
  27323. - "raw" (default): no encoding
  27324. - "base64": standard base64 encoding
  27325. - "base64url": base64url encoding
  27326. - "base32": base32 encoding
  27327. - "hex": hexadecimal encoding
  27328. enum:
  27329. - base64
  27330. - base64url
  27331. - base32
  27332. - hex
  27333. - raw
  27334. type: string
  27335. length:
  27336. default: 24
  27337. description: |-
  27338. Length of the password to be generated.
  27339. Defaults to 24
  27340. type: integer
  27341. noUpper:
  27342. default: false
  27343. description: Set NoUpper to disable uppercase characters
  27344. type: boolean
  27345. secretKeys:
  27346. description: |-
  27347. SecretKeys defines the keys that will be populated with generated passwords.
  27348. Defaults to "password" when not set.
  27349. items:
  27350. type: string
  27351. minItems: 1
  27352. type: array
  27353. symbolCharacters:
  27354. description: |-
  27355. SymbolCharacters specifies the special characters that should be used
  27356. in the generated password.
  27357. type: string
  27358. symbols:
  27359. description: |-
  27360. Symbols specifies the number of symbol characters in the generated
  27361. password. If omitted it defaults to 25% of the length of the password
  27362. type: integer
  27363. required:
  27364. - allowRepeat
  27365. - length
  27366. - noUpper
  27367. type: object
  27368. quayAccessTokenSpec:
  27369. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  27370. properties:
  27371. robotAccount:
  27372. description: Name of the robot account you are federating with
  27373. type: string
  27374. serviceAccountRef:
  27375. description: Name of the service account you are federating with
  27376. properties:
  27377. audiences:
  27378. description: |-
  27379. Audience specifies the `aud` claim for the service account token
  27380. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27381. then this audiences will be appended to the list
  27382. items:
  27383. type: string
  27384. type: array
  27385. name:
  27386. description: The name of the ServiceAccount resource being referred to.
  27387. maxLength: 253
  27388. minLength: 1
  27389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27390. type: string
  27391. namespace:
  27392. description: |-
  27393. Namespace of the resource being referred to.
  27394. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27395. maxLength: 63
  27396. minLength: 1
  27397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27398. type: string
  27399. required:
  27400. - name
  27401. type: object
  27402. url:
  27403. description: URL configures the Quay instance URL. Defaults to quay.io.
  27404. type: string
  27405. required:
  27406. - robotAccount
  27407. - serviceAccountRef
  27408. type: object
  27409. sshKeySpec:
  27410. description: SSHKeySpec controls the behavior of the ssh key generator.
  27411. properties:
  27412. comment:
  27413. description: Comment specifies an optional comment for the SSH key
  27414. type: string
  27415. keySize:
  27416. description: |-
  27417. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  27418. For RSA keys: 2048, 3072, 4096
  27419. For ECDSA keys: 256, 384, 521
  27420. Ignored for ed25519 keys
  27421. maximum: 8192
  27422. minimum: 256
  27423. type: integer
  27424. keyType:
  27425. default: rsa
  27426. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  27427. enum:
  27428. - rsa
  27429. - ecdsa
  27430. - ed25519
  27431. type: string
  27432. type: object
  27433. stsSessionTokenSpec:
  27434. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  27435. properties:
  27436. auth:
  27437. description: Auth defines how to authenticate with AWS
  27438. properties:
  27439. jwt:
  27440. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  27441. properties:
  27442. serviceAccountRef:
  27443. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27444. properties:
  27445. audiences:
  27446. description: |-
  27447. Audience specifies the `aud` claim for the service account token
  27448. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27449. then this audiences will be appended to the list
  27450. items:
  27451. type: string
  27452. type: array
  27453. name:
  27454. description: The name of the ServiceAccount resource being referred to.
  27455. maxLength: 253
  27456. minLength: 1
  27457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27458. type: string
  27459. namespace:
  27460. description: |-
  27461. Namespace of the resource being referred to.
  27462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27463. maxLength: 63
  27464. minLength: 1
  27465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27466. type: string
  27467. required:
  27468. - name
  27469. type: object
  27470. type: object
  27471. secretRef:
  27472. description: |-
  27473. AWSAuthSecretRef holds secret references for AWS credentials
  27474. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27475. properties:
  27476. accessKeyIDSecretRef:
  27477. description: The AccessKeyID is used for authentication
  27478. properties:
  27479. key:
  27480. description: |-
  27481. A key in the referenced Secret.
  27482. Some instances of this field may be defaulted, in others it may be required.
  27483. maxLength: 253
  27484. minLength: 1
  27485. pattern: ^[-._a-zA-Z0-9]+$
  27486. type: string
  27487. name:
  27488. description: The name of the Secret resource being referred to.
  27489. maxLength: 253
  27490. minLength: 1
  27491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27492. type: string
  27493. namespace:
  27494. description: |-
  27495. The namespace of the Secret resource being referred to.
  27496. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27497. maxLength: 63
  27498. minLength: 1
  27499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27500. type: string
  27501. type: object
  27502. secretAccessKeySecretRef:
  27503. description: The SecretAccessKey is used for authentication
  27504. properties:
  27505. key:
  27506. description: |-
  27507. A key in the referenced Secret.
  27508. Some instances of this field may be defaulted, in others it may be required.
  27509. maxLength: 253
  27510. minLength: 1
  27511. pattern: ^[-._a-zA-Z0-9]+$
  27512. type: string
  27513. name:
  27514. description: The name of the Secret resource being referred to.
  27515. maxLength: 253
  27516. minLength: 1
  27517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27518. type: string
  27519. namespace:
  27520. description: |-
  27521. The namespace of the Secret resource being referred to.
  27522. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27523. maxLength: 63
  27524. minLength: 1
  27525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27526. type: string
  27527. type: object
  27528. sessionTokenSecretRef:
  27529. description: |-
  27530. The SessionToken used for authentication
  27531. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27532. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27533. properties:
  27534. key:
  27535. description: |-
  27536. A key in the referenced Secret.
  27537. Some instances of this field may be defaulted, in others it may be required.
  27538. maxLength: 253
  27539. minLength: 1
  27540. pattern: ^[-._a-zA-Z0-9]+$
  27541. type: string
  27542. name:
  27543. description: The name of the Secret resource being referred to.
  27544. maxLength: 253
  27545. minLength: 1
  27546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27547. type: string
  27548. namespace:
  27549. description: |-
  27550. The namespace of the Secret resource being referred to.
  27551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27552. maxLength: 63
  27553. minLength: 1
  27554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27555. type: string
  27556. type: object
  27557. type: object
  27558. type: object
  27559. region:
  27560. description: Region specifies the region to operate in.
  27561. type: string
  27562. requestParameters:
  27563. description: RequestParameters contains parameters that can be passed to the STS service.
  27564. properties:
  27565. serialNumber:
  27566. description: |-
  27567. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  27568. the GetSessionToken call.
  27569. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  27570. (such as arn:aws:iam::123456789012:mfa/user)
  27571. type: string
  27572. sessionDuration:
  27573. format: int32
  27574. type: integer
  27575. tokenCode:
  27576. description: TokenCode is the value provided by the MFA device, if MFA is required.
  27577. type: string
  27578. type: object
  27579. role:
  27580. description: |-
  27581. You can assume a role before making calls to the
  27582. desired AWS service.
  27583. type: string
  27584. required:
  27585. - region
  27586. type: object
  27587. uuidSpec:
  27588. description: UUIDSpec controls the behavior of the uuid generator.
  27589. type: object
  27590. vaultDynamicSecretSpec:
  27591. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  27592. properties:
  27593. allowEmptyResponse:
  27594. default: false
  27595. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  27596. type: boolean
  27597. controller:
  27598. description: |-
  27599. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27600. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27601. type: string
  27602. getParameters:
  27603. additionalProperties:
  27604. items:
  27605. type: string
  27606. type: array
  27607. description: |-
  27608. GetParameters are query-string parameters passed to Vault on GET calls.
  27609. Each key may map to multiple values, matching HTTP query-string semantics.
  27610. Ignored for non-GET methods; use Parameters for write bodies.
  27611. type: object
  27612. method:
  27613. description: Vault API method to use (GET/POST/other)
  27614. type: string
  27615. parameters:
  27616. description: Parameters to pass to Vault write (for non-GET methods)
  27617. x-kubernetes-preserve-unknown-fields: true
  27618. path:
  27619. description: Vault path to obtain the dynamic secret from
  27620. type: string
  27621. provider:
  27622. description: Vault provider common spec
  27623. properties:
  27624. auth:
  27625. description: Auth configures how secret-manager authenticates with the Vault server.
  27626. properties:
  27627. appRole:
  27628. description: |-
  27629. AppRole authenticates with Vault using the App Role auth mechanism,
  27630. with the role and secret stored in a Kubernetes Secret resource.
  27631. properties:
  27632. path:
  27633. default: approle
  27634. description: |-
  27635. Path where the App Role authentication backend is mounted
  27636. in Vault, e.g: "approle"
  27637. type: string
  27638. roleId:
  27639. description: |-
  27640. RoleID configured in the App Role authentication backend when setting
  27641. up the authentication backend in Vault.
  27642. type: string
  27643. roleRef:
  27644. description: |-
  27645. Reference to a key in a Secret that contains the App Role ID used
  27646. to authenticate with Vault.
  27647. The `key` field must be specified and denotes which entry within the Secret
  27648. resource is used as the app role id.
  27649. properties:
  27650. key:
  27651. description: |-
  27652. A key in the referenced Secret.
  27653. Some instances of this field may be defaulted, in others it may be required.
  27654. maxLength: 253
  27655. minLength: 1
  27656. pattern: ^[-._a-zA-Z0-9]+$
  27657. type: string
  27658. name:
  27659. description: The name of the Secret resource being referred to.
  27660. maxLength: 253
  27661. minLength: 1
  27662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27663. type: string
  27664. namespace:
  27665. description: |-
  27666. The namespace of the Secret resource being referred to.
  27667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27668. maxLength: 63
  27669. minLength: 1
  27670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27671. type: string
  27672. type: object
  27673. secretRef:
  27674. description: |-
  27675. Reference to a key in a Secret that contains the App Role secret used
  27676. to authenticate with Vault.
  27677. The `key` field must be specified and denotes which entry within the Secret
  27678. resource is used as the app role secret.
  27679. properties:
  27680. key:
  27681. description: |-
  27682. A key in the referenced Secret.
  27683. Some instances of this field may be defaulted, in others it may be required.
  27684. maxLength: 253
  27685. minLength: 1
  27686. pattern: ^[-._a-zA-Z0-9]+$
  27687. type: string
  27688. name:
  27689. description: The name of the Secret resource being referred to.
  27690. maxLength: 253
  27691. minLength: 1
  27692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27693. type: string
  27694. namespace:
  27695. description: |-
  27696. The namespace of the Secret resource being referred to.
  27697. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27698. maxLength: 63
  27699. minLength: 1
  27700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27701. type: string
  27702. type: object
  27703. required:
  27704. - path
  27705. - secretRef
  27706. type: object
  27707. cert:
  27708. description: |-
  27709. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  27710. Cert authentication method
  27711. properties:
  27712. clientCert:
  27713. description: |-
  27714. ClientCert is a certificate to authenticate using the Cert Vault
  27715. authentication method
  27716. properties:
  27717. key:
  27718. description: |-
  27719. A key in the referenced Secret.
  27720. Some instances of this field may be defaulted, in others it may be required.
  27721. maxLength: 253
  27722. minLength: 1
  27723. pattern: ^[-._a-zA-Z0-9]+$
  27724. type: string
  27725. name:
  27726. description: The name of the Secret resource being referred to.
  27727. maxLength: 253
  27728. minLength: 1
  27729. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27730. type: string
  27731. namespace:
  27732. description: |-
  27733. The namespace of the Secret resource being referred to.
  27734. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27735. maxLength: 63
  27736. minLength: 1
  27737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27738. type: string
  27739. type: object
  27740. path:
  27741. default: cert
  27742. description: |-
  27743. Path where the Certificate authentication backend is mounted
  27744. in Vault, e.g: "cert"
  27745. type: string
  27746. secretRef:
  27747. description: |-
  27748. SecretRef to a key in a Secret resource containing client private key to
  27749. authenticate with Vault using the Cert authentication method
  27750. properties:
  27751. key:
  27752. description: |-
  27753. A key in the referenced Secret.
  27754. Some instances of this field may be defaulted, in others it may be required.
  27755. maxLength: 253
  27756. minLength: 1
  27757. pattern: ^[-._a-zA-Z0-9]+$
  27758. type: string
  27759. name:
  27760. description: The name of the Secret resource being referred to.
  27761. maxLength: 253
  27762. minLength: 1
  27763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27764. type: string
  27765. namespace:
  27766. description: |-
  27767. The namespace of the Secret resource being referred to.
  27768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27769. maxLength: 63
  27770. minLength: 1
  27771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27772. type: string
  27773. type: object
  27774. vaultRole:
  27775. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  27776. type: string
  27777. type: object
  27778. gcp:
  27779. description: |-
  27780. Gcp authenticates with Vault using Google Cloud Platform authentication method
  27781. GCP authentication method
  27782. properties:
  27783. location:
  27784. description: Location optionally defines a location/region for the secret
  27785. type: string
  27786. path:
  27787. default: gcp
  27788. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  27789. type: string
  27790. projectID:
  27791. description: Project ID of the Google Cloud Platform project
  27792. type: string
  27793. role:
  27794. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  27795. type: string
  27796. secretRef:
  27797. description: Specify credentials in a Secret object
  27798. properties:
  27799. secretAccessKeySecretRef:
  27800. description: The SecretAccessKey is used for authentication
  27801. properties:
  27802. key:
  27803. description: |-
  27804. A key in the referenced Secret.
  27805. Some instances of this field may be defaulted, in others it may be required.
  27806. maxLength: 253
  27807. minLength: 1
  27808. pattern: ^[-._a-zA-Z0-9]+$
  27809. type: string
  27810. name:
  27811. description: The name of the Secret resource being referred to.
  27812. maxLength: 253
  27813. minLength: 1
  27814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27815. type: string
  27816. namespace:
  27817. description: |-
  27818. The namespace of the Secret resource being referred to.
  27819. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27820. maxLength: 63
  27821. minLength: 1
  27822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27823. type: string
  27824. type: object
  27825. type: object
  27826. serviceAccountRef:
  27827. description: ServiceAccountRef to a service account for impersonation
  27828. properties:
  27829. audiences:
  27830. description: |-
  27831. Audience specifies the `aud` claim for the service account token
  27832. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27833. then this audiences will be appended to the list
  27834. items:
  27835. type: string
  27836. type: array
  27837. name:
  27838. description: The name of the ServiceAccount resource being referred to.
  27839. maxLength: 253
  27840. minLength: 1
  27841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27842. type: string
  27843. namespace:
  27844. description: |-
  27845. Namespace of the resource being referred to.
  27846. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27847. maxLength: 63
  27848. minLength: 1
  27849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27850. type: string
  27851. required:
  27852. - name
  27853. type: object
  27854. workloadIdentity:
  27855. description: Specify a service account with Workload Identity
  27856. properties:
  27857. clusterLocation:
  27858. description: |-
  27859. ClusterLocation is the location of the cluster
  27860. If not specified, it fetches information from the metadata server
  27861. type: string
  27862. clusterName:
  27863. description: |-
  27864. ClusterName is the name of the cluster
  27865. If not specified, it fetches information from the metadata server
  27866. type: string
  27867. clusterProjectID:
  27868. description: |-
  27869. ClusterProjectID is the project ID of the cluster
  27870. If not specified, it fetches information from the metadata server
  27871. type: string
  27872. serviceAccountRef:
  27873. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27874. properties:
  27875. audiences:
  27876. description: |-
  27877. Audience specifies the `aud` claim for the service account token
  27878. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27879. then this audiences will be appended to the list
  27880. items:
  27881. type: string
  27882. type: array
  27883. name:
  27884. description: The name of the ServiceAccount resource being referred to.
  27885. maxLength: 253
  27886. minLength: 1
  27887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27888. type: string
  27889. namespace:
  27890. description: |-
  27891. Namespace of the resource being referred to.
  27892. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27893. maxLength: 63
  27894. minLength: 1
  27895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27896. type: string
  27897. required:
  27898. - name
  27899. type: object
  27900. required:
  27901. - serviceAccountRef
  27902. type: object
  27903. required:
  27904. - role
  27905. type: object
  27906. iam:
  27907. description: |-
  27908. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  27909. AWS IAM authentication method
  27910. properties:
  27911. externalID:
  27912. description: AWS External ID set on assumed IAM roles
  27913. type: string
  27914. jwt:
  27915. description: Specify a service account with IRSA enabled
  27916. properties:
  27917. serviceAccountRef:
  27918. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27919. properties:
  27920. audiences:
  27921. description: |-
  27922. Audience specifies the `aud` claim for the service account token
  27923. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27924. then this audiences will be appended to the list
  27925. items:
  27926. type: string
  27927. type: array
  27928. name:
  27929. description: The name of the ServiceAccount resource being referred to.
  27930. maxLength: 253
  27931. minLength: 1
  27932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27933. type: string
  27934. namespace:
  27935. description: |-
  27936. Namespace of the resource being referred to.
  27937. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27938. maxLength: 63
  27939. minLength: 1
  27940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27941. type: string
  27942. required:
  27943. - name
  27944. type: object
  27945. type: object
  27946. path:
  27947. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  27948. type: string
  27949. region:
  27950. description: AWS region
  27951. type: string
  27952. role:
  27953. description: This is the AWS role to be assumed before talking to vault
  27954. type: string
  27955. secretRef:
  27956. description: Specify credentials in a Secret object
  27957. properties:
  27958. accessKeyIDSecretRef:
  27959. description: The AccessKeyID is used for authentication
  27960. properties:
  27961. key:
  27962. description: |-
  27963. A key in the referenced Secret.
  27964. Some instances of this field may be defaulted, in others it may be required.
  27965. maxLength: 253
  27966. minLength: 1
  27967. pattern: ^[-._a-zA-Z0-9]+$
  27968. type: string
  27969. name:
  27970. description: The name of the Secret resource being referred to.
  27971. maxLength: 253
  27972. minLength: 1
  27973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27974. type: string
  27975. namespace:
  27976. description: |-
  27977. The namespace of the Secret resource being referred to.
  27978. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27979. maxLength: 63
  27980. minLength: 1
  27981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27982. type: string
  27983. type: object
  27984. secretAccessKeySecretRef:
  27985. description: The SecretAccessKey is used for authentication
  27986. properties:
  27987. key:
  27988. description: |-
  27989. A key in the referenced Secret.
  27990. Some instances of this field may be defaulted, in others it may be required.
  27991. maxLength: 253
  27992. minLength: 1
  27993. pattern: ^[-._a-zA-Z0-9]+$
  27994. type: string
  27995. name:
  27996. description: The name of the Secret resource being referred to.
  27997. maxLength: 253
  27998. minLength: 1
  27999. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28000. type: string
  28001. namespace:
  28002. description: |-
  28003. The namespace of the Secret resource being referred to.
  28004. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28005. maxLength: 63
  28006. minLength: 1
  28007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28008. type: string
  28009. type: object
  28010. sessionTokenSecretRef:
  28011. description: |-
  28012. The SessionToken used for authentication
  28013. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28014. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28015. properties:
  28016. key:
  28017. description: |-
  28018. A key in the referenced Secret.
  28019. Some instances of this field may be defaulted, in others it may be required.
  28020. maxLength: 253
  28021. minLength: 1
  28022. pattern: ^[-._a-zA-Z0-9]+$
  28023. type: string
  28024. name:
  28025. description: The name of the Secret resource being referred to.
  28026. maxLength: 253
  28027. minLength: 1
  28028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28029. type: string
  28030. namespace:
  28031. description: |-
  28032. The namespace of the Secret resource being referred to.
  28033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28034. maxLength: 63
  28035. minLength: 1
  28036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28037. type: string
  28038. type: object
  28039. type: object
  28040. vaultAwsIamServerID:
  28041. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  28042. type: string
  28043. vaultRole:
  28044. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  28045. type: string
  28046. required:
  28047. - vaultRole
  28048. type: object
  28049. jwt:
  28050. description: |-
  28051. Jwt authenticates with Vault by passing role and JWT token using the
  28052. JWT/OIDC authentication method
  28053. properties:
  28054. kubernetesServiceAccountToken:
  28055. description: |-
  28056. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  28057. a token for with the `TokenRequest` API.
  28058. properties:
  28059. audiences:
  28060. description: |-
  28061. Optional audiences field that will be used to request a temporary Kubernetes service
  28062. account token for the service account referenced by `serviceAccountRef`.
  28063. Defaults to a single audience `vault` it not specified.
  28064. Deprecated: use serviceAccountRef.Audiences instead
  28065. items:
  28066. type: string
  28067. type: array
  28068. expirationSeconds:
  28069. description: |-
  28070. Optional expiration time in seconds that will be used to request a temporary
  28071. Kubernetes service account token for the service account referenced by
  28072. `serviceAccountRef`.
  28073. Deprecated: this will be removed in the future.
  28074. Defaults to 10 minutes.
  28075. format: int64
  28076. type: integer
  28077. serviceAccountRef:
  28078. description: Service account field containing the name of a kubernetes ServiceAccount.
  28079. properties:
  28080. audiences:
  28081. description: |-
  28082. Audience specifies the `aud` claim for the service account token
  28083. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28084. then this audiences will be appended to the list
  28085. items:
  28086. type: string
  28087. type: array
  28088. name:
  28089. description: The name of the ServiceAccount resource being referred to.
  28090. maxLength: 253
  28091. minLength: 1
  28092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28093. type: string
  28094. namespace:
  28095. description: |-
  28096. Namespace of the resource being referred to.
  28097. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28098. maxLength: 63
  28099. minLength: 1
  28100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28101. type: string
  28102. required:
  28103. - name
  28104. type: object
  28105. required:
  28106. - serviceAccountRef
  28107. type: object
  28108. path:
  28109. default: jwt
  28110. description: |-
  28111. Path where the JWT authentication backend is mounted
  28112. in Vault, e.g: "jwt"
  28113. type: string
  28114. role:
  28115. description: |-
  28116. Role is a JWT role to authenticate using the JWT/OIDC Vault
  28117. authentication method
  28118. type: string
  28119. secretRef:
  28120. description: |-
  28121. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  28122. authenticate with Vault using the JWT/OIDC authentication method.
  28123. properties:
  28124. key:
  28125. description: |-
  28126. A key in the referenced Secret.
  28127. Some instances of this field may be defaulted, in others it may be required.
  28128. maxLength: 253
  28129. minLength: 1
  28130. pattern: ^[-._a-zA-Z0-9]+$
  28131. type: string
  28132. name:
  28133. description: The name of the Secret resource being referred to.
  28134. maxLength: 253
  28135. minLength: 1
  28136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28137. type: string
  28138. namespace:
  28139. description: |-
  28140. The namespace of the Secret resource being referred to.
  28141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28142. maxLength: 63
  28143. minLength: 1
  28144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28145. type: string
  28146. type: object
  28147. required:
  28148. - path
  28149. type: object
  28150. kubernetes:
  28151. description: |-
  28152. Kubernetes authenticates with Vault by passing the ServiceAccount
  28153. token stored in the named Secret resource to the Vault server.
  28154. properties:
  28155. mountPath:
  28156. default: kubernetes
  28157. description: |-
  28158. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  28159. "kubernetes"
  28160. type: string
  28161. role:
  28162. description: |-
  28163. A required field containing the Vault Role to assume. A Role binds a
  28164. Kubernetes ServiceAccount with a set of Vault policies.
  28165. type: string
  28166. secretRef:
  28167. description: |-
  28168. Optional secret field containing a Kubernetes ServiceAccount JWT used
  28169. for authenticating with Vault. If a name is specified without a key,
  28170. `token` is the default. If one is not specified, the one bound to
  28171. the controller will be used.
  28172. properties:
  28173. key:
  28174. description: |-
  28175. A key in the referenced Secret.
  28176. Some instances of this field may be defaulted, in others it may be required.
  28177. maxLength: 253
  28178. minLength: 1
  28179. pattern: ^[-._a-zA-Z0-9]+$
  28180. type: string
  28181. name:
  28182. description: The name of the Secret resource being referred to.
  28183. maxLength: 253
  28184. minLength: 1
  28185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28186. type: string
  28187. namespace:
  28188. description: |-
  28189. The namespace of the Secret resource being referred to.
  28190. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28191. maxLength: 63
  28192. minLength: 1
  28193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28194. type: string
  28195. type: object
  28196. serviceAccountRef:
  28197. description: |-
  28198. Optional service account field containing the name of a kubernetes ServiceAccount.
  28199. If the service account is specified, the service account secret token JWT will be used
  28200. for authenticating with Vault. If the service account selector is not supplied,
  28201. the secretRef will be used instead.
  28202. properties:
  28203. audiences:
  28204. description: |-
  28205. Audience specifies the `aud` claim for the service account token
  28206. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28207. then this audiences will be appended to the list
  28208. items:
  28209. type: string
  28210. type: array
  28211. name:
  28212. description: The name of the ServiceAccount resource being referred to.
  28213. maxLength: 253
  28214. minLength: 1
  28215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28216. type: string
  28217. namespace:
  28218. description: |-
  28219. Namespace of the resource being referred to.
  28220. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28221. maxLength: 63
  28222. minLength: 1
  28223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28224. type: string
  28225. required:
  28226. - name
  28227. type: object
  28228. required:
  28229. - mountPath
  28230. - role
  28231. type: object
  28232. ldap:
  28233. description: |-
  28234. Ldap authenticates with Vault by passing username/password pair using
  28235. the LDAP authentication method
  28236. properties:
  28237. path:
  28238. default: ldap
  28239. description: |-
  28240. Path where the LDAP authentication backend is mounted
  28241. in Vault, e.g: "ldap"
  28242. type: string
  28243. secretRef:
  28244. description: |-
  28245. SecretRef to a key in a Secret resource containing password for the LDAP
  28246. user used to authenticate with Vault using the LDAP authentication
  28247. method
  28248. properties:
  28249. key:
  28250. description: |-
  28251. A key in the referenced Secret.
  28252. Some instances of this field may be defaulted, in others it may be required.
  28253. maxLength: 253
  28254. minLength: 1
  28255. pattern: ^[-._a-zA-Z0-9]+$
  28256. type: string
  28257. name:
  28258. description: The name of the Secret resource being referred to.
  28259. maxLength: 253
  28260. minLength: 1
  28261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28262. type: string
  28263. namespace:
  28264. description: |-
  28265. The namespace of the Secret resource being referred to.
  28266. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28267. maxLength: 63
  28268. minLength: 1
  28269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28270. type: string
  28271. type: object
  28272. username:
  28273. description: |-
  28274. Username is an LDAP username used to authenticate using the LDAP Vault
  28275. authentication method
  28276. type: string
  28277. required:
  28278. - path
  28279. - username
  28280. type: object
  28281. namespace:
  28282. description: |-
  28283. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  28284. Namespaces is a set of features within Vault Enterprise that allows
  28285. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28286. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28287. This will default to Vault.Namespace field if set, or empty otherwise
  28288. type: string
  28289. tokenSecretRef:
  28290. description: TokenSecretRef authenticates with Vault by presenting a token.
  28291. properties:
  28292. key:
  28293. description: |-
  28294. A key in the referenced Secret.
  28295. Some instances of this field may be defaulted, in others it may be required.
  28296. maxLength: 253
  28297. minLength: 1
  28298. pattern: ^[-._a-zA-Z0-9]+$
  28299. type: string
  28300. name:
  28301. description: The name of the Secret resource being referred to.
  28302. maxLength: 253
  28303. minLength: 1
  28304. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28305. type: string
  28306. namespace:
  28307. description: |-
  28308. The namespace of the Secret resource being referred to.
  28309. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28310. maxLength: 63
  28311. minLength: 1
  28312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28313. type: string
  28314. type: object
  28315. userPass:
  28316. description: UserPass authenticates with Vault by passing username/password pair
  28317. properties:
  28318. path:
  28319. default: userpass
  28320. description: |-
  28321. Path where the UserPassword authentication backend is mounted
  28322. in Vault, e.g: "userpass"
  28323. type: string
  28324. secretRef:
  28325. description: |-
  28326. SecretRef to a key in a Secret resource containing password for the
  28327. user used to authenticate with Vault using the UserPass authentication
  28328. method
  28329. properties:
  28330. key:
  28331. description: |-
  28332. A key in the referenced Secret.
  28333. Some instances of this field may be defaulted, in others it may be required.
  28334. maxLength: 253
  28335. minLength: 1
  28336. pattern: ^[-._a-zA-Z0-9]+$
  28337. type: string
  28338. name:
  28339. description: The name of the Secret resource being referred to.
  28340. maxLength: 253
  28341. minLength: 1
  28342. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28343. type: string
  28344. namespace:
  28345. description: |-
  28346. The namespace of the Secret resource being referred to.
  28347. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28348. maxLength: 63
  28349. minLength: 1
  28350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28351. type: string
  28352. type: object
  28353. username:
  28354. description: |-
  28355. Username is a username used to authenticate using the UserPass Vault
  28356. authentication method
  28357. type: string
  28358. required:
  28359. - path
  28360. - username
  28361. type: object
  28362. type: object
  28363. caBundle:
  28364. description: |-
  28365. PEM encoded CA bundle used to validate Vault server certificate. Only used
  28366. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28367. plain HTTP protocol connection. If not set the system root certificates
  28368. are used to validate the TLS connection.
  28369. format: byte
  28370. type: string
  28371. caProvider:
  28372. description: The provider for the CA bundle to use to validate Vault server certificate.
  28373. properties:
  28374. key:
  28375. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28376. maxLength: 253
  28377. minLength: 1
  28378. pattern: ^[-._a-zA-Z0-9]+$
  28379. type: string
  28380. name:
  28381. description: The name of the object located at the provider type.
  28382. maxLength: 253
  28383. minLength: 1
  28384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28385. type: string
  28386. namespace:
  28387. description: |-
  28388. The namespace the Provider type is in.
  28389. Can only be defined when used in a ClusterSecretStore.
  28390. maxLength: 63
  28391. minLength: 1
  28392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28393. type: string
  28394. type:
  28395. description: The type of provider to use such as "Secret", or "ConfigMap".
  28396. enum:
  28397. - Secret
  28398. - ConfigMap
  28399. type: string
  28400. required:
  28401. - name
  28402. - type
  28403. type: object
  28404. checkAndSet:
  28405. description: |-
  28406. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  28407. Only applies to Vault KV v2 stores. When enabled, write operations must include
  28408. the current version of the secret to prevent unintentional overwrites.
  28409. properties:
  28410. required:
  28411. description: |-
  28412. Required when true, all write operations must include a check-and-set parameter.
  28413. This helps prevent unintentional overwrites of secrets.
  28414. type: boolean
  28415. type: object
  28416. forwardInconsistent:
  28417. description: |-
  28418. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  28419. leader instead of simply retrying within a loop. This can increase performance if
  28420. the option is enabled serverside.
  28421. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  28422. type: boolean
  28423. headers:
  28424. additionalProperties:
  28425. type: string
  28426. description: Headers to be added in Vault request
  28427. type: object
  28428. namespace:
  28429. description: |-
  28430. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  28431. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28432. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28433. type: string
  28434. path:
  28435. description: |-
  28436. Path is the mount path of the Vault KV backend endpoint, e.g:
  28437. "secret". The v2 KV secret engine version specific "/data" path suffix
  28438. for fetching secrets from Vault is optional and will be appended
  28439. if not present in specified path.
  28440. type: string
  28441. readYourWrites:
  28442. description: |-
  28443. ReadYourWrites ensures isolated read-after-write semantics by
  28444. providing discovered cluster replication states in each request.
  28445. More information about eventual consistency in Vault can be found here
  28446. https://www.vaultproject.io/docs/enterprise/consistency
  28447. type: boolean
  28448. server:
  28449. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  28450. type: string
  28451. tls:
  28452. description: |-
  28453. The configuration used for client side related TLS communication, when the Vault server
  28454. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  28455. This parameter is ignored for plain HTTP protocol connection.
  28456. It's worth noting this configuration is different from the "TLS certificates auth method",
  28457. which is available under the `auth.cert` section.
  28458. properties:
  28459. certSecretRef:
  28460. description: |-
  28461. CertSecretRef is a certificate added to the transport layer
  28462. when communicating with the Vault server.
  28463. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  28464. properties:
  28465. key:
  28466. description: |-
  28467. A key in the referenced Secret.
  28468. Some instances of this field may be defaulted, in others it may be required.
  28469. maxLength: 253
  28470. minLength: 1
  28471. pattern: ^[-._a-zA-Z0-9]+$
  28472. type: string
  28473. name:
  28474. description: The name of the Secret resource being referred to.
  28475. maxLength: 253
  28476. minLength: 1
  28477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28478. type: string
  28479. namespace:
  28480. description: |-
  28481. The namespace of the Secret resource being referred to.
  28482. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28483. maxLength: 63
  28484. minLength: 1
  28485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28486. type: string
  28487. type: object
  28488. keySecretRef:
  28489. description: |-
  28490. KeySecretRef to a key in a Secret resource containing client private key
  28491. added to the transport layer when communicating with the Vault server.
  28492. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  28493. properties:
  28494. key:
  28495. description: |-
  28496. A key in the referenced Secret.
  28497. Some instances of this field may be defaulted, in others it may be required.
  28498. maxLength: 253
  28499. minLength: 1
  28500. pattern: ^[-._a-zA-Z0-9]+$
  28501. type: string
  28502. name:
  28503. description: The name of the Secret resource being referred to.
  28504. maxLength: 253
  28505. minLength: 1
  28506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28507. type: string
  28508. namespace:
  28509. description: |-
  28510. The namespace of the Secret resource being referred to.
  28511. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28512. maxLength: 63
  28513. minLength: 1
  28514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28515. type: string
  28516. type: object
  28517. type: object
  28518. version:
  28519. default: v2
  28520. description: |-
  28521. Version is the Vault KV secret engine version. This can be either "v1" or
  28522. "v2". Version defaults to "v2".
  28523. enum:
  28524. - v1
  28525. - v2
  28526. type: string
  28527. required:
  28528. - server
  28529. type: object
  28530. resultType:
  28531. default: Data
  28532. description: |-
  28533. Result type defines which data is returned from the generator.
  28534. By default, it is the "data" section of the Vault API response.
  28535. When using e.g. /auth/token/create the "data" section is empty but
  28536. the "auth" section contains the generated token.
  28537. Please refer to the vault docs regarding the result data structure.
  28538. Additionally, accessing the raw response is possibly by using "Raw" result type.
  28539. enum:
  28540. - Data
  28541. - Auth
  28542. - Raw
  28543. type: string
  28544. retrySettings:
  28545. description: Used to configure http retries if failed
  28546. properties:
  28547. maxRetries:
  28548. format: int32
  28549. type: integer
  28550. retryInterval:
  28551. type: string
  28552. type: object
  28553. required:
  28554. - path
  28555. - provider
  28556. type: object
  28557. webhookSpec:
  28558. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  28559. properties:
  28560. auth:
  28561. description: Auth specifies a authorization protocol. Only one protocol may be set.
  28562. maxProperties: 1
  28563. minProperties: 1
  28564. properties:
  28565. ntlm:
  28566. description: NTLMProtocol configures the store to use NTLM for auth
  28567. properties:
  28568. passwordSecret:
  28569. description: |-
  28570. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28571. In some instances, `key` is a required field.
  28572. properties:
  28573. key:
  28574. description: |-
  28575. A key in the referenced Secret.
  28576. Some instances of this field may be defaulted, in others it may be required.
  28577. maxLength: 253
  28578. minLength: 1
  28579. pattern: ^[-._a-zA-Z0-9]+$
  28580. type: string
  28581. name:
  28582. description: The name of the Secret resource being referred to.
  28583. maxLength: 253
  28584. minLength: 1
  28585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28586. type: string
  28587. namespace:
  28588. description: |-
  28589. The namespace of the Secret resource being referred to.
  28590. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28591. maxLength: 63
  28592. minLength: 1
  28593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28594. type: string
  28595. type: object
  28596. usernameSecret:
  28597. description: |-
  28598. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28599. In some instances, `key` is a required field.
  28600. properties:
  28601. key:
  28602. description: |-
  28603. A key in the referenced Secret.
  28604. Some instances of this field may be defaulted, in others it may be required.
  28605. maxLength: 253
  28606. minLength: 1
  28607. pattern: ^[-._a-zA-Z0-9]+$
  28608. type: string
  28609. name:
  28610. description: The name of the Secret resource being referred to.
  28611. maxLength: 253
  28612. minLength: 1
  28613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28614. type: string
  28615. namespace:
  28616. description: |-
  28617. The namespace of the Secret resource being referred to.
  28618. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28619. maxLength: 63
  28620. minLength: 1
  28621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28622. type: string
  28623. type: object
  28624. required:
  28625. - passwordSecret
  28626. - usernameSecret
  28627. type: object
  28628. type: object
  28629. body:
  28630. description: Body
  28631. type: string
  28632. caBundle:
  28633. description: |-
  28634. PEM encoded CA bundle used to validate webhook server certificate. Only used
  28635. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28636. plain HTTP protocol connection. If not set the system root certificates
  28637. are used to validate the TLS connection.
  28638. format: byte
  28639. type: string
  28640. caProvider:
  28641. description: The provider for the CA bundle to use to validate webhook server certificate.
  28642. properties:
  28643. key:
  28644. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28645. maxLength: 253
  28646. minLength: 1
  28647. pattern: ^[-._a-zA-Z0-9]+$
  28648. type: string
  28649. name:
  28650. description: The name of the object located at the provider type.
  28651. maxLength: 253
  28652. minLength: 1
  28653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28654. type: string
  28655. namespace:
  28656. description: The namespace the Provider type is in.
  28657. maxLength: 63
  28658. minLength: 1
  28659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28660. type: string
  28661. type:
  28662. description: The type of provider to use such as "Secret", or "ConfigMap".
  28663. enum:
  28664. - Secret
  28665. - ConfigMap
  28666. type: string
  28667. required:
  28668. - name
  28669. - type
  28670. type: object
  28671. headers:
  28672. additionalProperties:
  28673. type: string
  28674. description: Headers
  28675. type: object
  28676. method:
  28677. description: Webhook Method
  28678. type: string
  28679. result:
  28680. description: Result formatting
  28681. properties:
  28682. jsonPath:
  28683. description: Json path of return value
  28684. type: string
  28685. type: object
  28686. secrets:
  28687. description: |-
  28688. Secrets to fill in templates
  28689. These secrets will be passed to the templating function as key value pairs under the given name
  28690. items:
  28691. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  28692. properties:
  28693. name:
  28694. description: Name of this secret in templates
  28695. type: string
  28696. secretRef:
  28697. description: Secret ref to fill in credentials
  28698. properties:
  28699. key:
  28700. description: The key where the token is found.
  28701. maxLength: 253
  28702. minLength: 1
  28703. pattern: ^[-._a-zA-Z0-9]+$
  28704. type: string
  28705. name:
  28706. description: The name of the Secret resource being referred to.
  28707. maxLength: 253
  28708. minLength: 1
  28709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28710. type: string
  28711. type: object
  28712. required:
  28713. - name
  28714. - secretRef
  28715. type: object
  28716. type: array
  28717. timeout:
  28718. description: Timeout
  28719. type: string
  28720. url:
  28721. description: Webhook url to call
  28722. type: string
  28723. required:
  28724. - result
  28725. - url
  28726. type: object
  28727. type: object
  28728. kind:
  28729. description: Kind the kind of this generator.
  28730. enum:
  28731. - ACRAccessToken
  28732. - BeyondtrustWorkloadCredentialsDynamicSecret
  28733. - CloudsmithAccessToken
  28734. - ECRAuthorizationToken
  28735. - Fake
  28736. - GCRAccessToken
  28737. - GithubAccessToken
  28738. - GitlabDeployToken
  28739. - QuayAccessToken
  28740. - Password
  28741. - SSHKey
  28742. - STSSessionToken
  28743. - UUID
  28744. - VaultDynamicSecret
  28745. - Webhook
  28746. - Grafana
  28747. - MFA
  28748. type: string
  28749. required:
  28750. - generator
  28751. - kind
  28752. type: object
  28753. type: object
  28754. served: true
  28755. storage: true
  28756. subresources:
  28757. status: {}
  28758. ---
  28759. apiVersion: apiextensions.k8s.io/v1
  28760. kind: CustomResourceDefinition
  28761. metadata:
  28762. annotations:
  28763. controller-gen.kubebuilder.io/version: v0.19.0
  28764. labels:
  28765. external-secrets.io/component: controller
  28766. name: ecrauthorizationtokens.generators.external-secrets.io
  28767. spec:
  28768. group: generators.external-secrets.io
  28769. names:
  28770. categories:
  28771. - external-secrets
  28772. - external-secrets-generators
  28773. kind: ECRAuthorizationToken
  28774. listKind: ECRAuthorizationTokenList
  28775. plural: ecrauthorizationtokens
  28776. singular: ecrauthorizationtoken
  28777. scope: Namespaced
  28778. versions:
  28779. - name: v1alpha1
  28780. schema:
  28781. openAPIV3Schema:
  28782. description: |-
  28783. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  28784. The authorization token is valid for 12 hours.
  28785. The authorizationToken returned is a base64 encoded string that can be decoded
  28786. and used in a docker login command to authenticate to a registry.
  28787. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  28788. properties:
  28789. apiVersion:
  28790. description: |-
  28791. APIVersion defines the versioned schema of this representation of an object.
  28792. Servers should convert recognized schemas to the latest internal value, and
  28793. may reject unrecognized values.
  28794. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28795. type: string
  28796. kind:
  28797. description: |-
  28798. Kind is a string value representing the REST resource this object represents.
  28799. Servers may infer this from the endpoint the client submits requests to.
  28800. Cannot be updated.
  28801. In CamelCase.
  28802. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28803. type: string
  28804. metadata:
  28805. type: object
  28806. spec:
  28807. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  28808. properties:
  28809. auth:
  28810. description: Auth defines how to authenticate with AWS
  28811. properties:
  28812. jwt:
  28813. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28814. properties:
  28815. serviceAccountRef:
  28816. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28817. properties:
  28818. audiences:
  28819. description: |-
  28820. Audience specifies the `aud` claim for the service account token
  28821. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28822. then this audiences will be appended to the list
  28823. items:
  28824. type: string
  28825. type: array
  28826. name:
  28827. description: The name of the ServiceAccount resource being referred to.
  28828. maxLength: 253
  28829. minLength: 1
  28830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28831. type: string
  28832. namespace:
  28833. description: |-
  28834. Namespace of the resource being referred to.
  28835. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28836. maxLength: 63
  28837. minLength: 1
  28838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28839. type: string
  28840. required:
  28841. - name
  28842. type: object
  28843. type: object
  28844. secretRef:
  28845. description: |-
  28846. AWSAuthSecretRef holds secret references for AWS credentials
  28847. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28848. properties:
  28849. accessKeyIDSecretRef:
  28850. description: The AccessKeyID is used for authentication
  28851. properties:
  28852. key:
  28853. description: |-
  28854. A key in the referenced Secret.
  28855. Some instances of this field may be defaulted, in others it may be required.
  28856. maxLength: 253
  28857. minLength: 1
  28858. pattern: ^[-._a-zA-Z0-9]+$
  28859. type: string
  28860. name:
  28861. description: The name of the Secret resource being referred to.
  28862. maxLength: 253
  28863. minLength: 1
  28864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28865. type: string
  28866. namespace:
  28867. description: |-
  28868. The namespace of the Secret resource being referred to.
  28869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28870. maxLength: 63
  28871. minLength: 1
  28872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28873. type: string
  28874. type: object
  28875. secretAccessKeySecretRef:
  28876. description: The SecretAccessKey is used for authentication
  28877. properties:
  28878. key:
  28879. description: |-
  28880. A key in the referenced Secret.
  28881. Some instances of this field may be defaulted, in others it may be required.
  28882. maxLength: 253
  28883. minLength: 1
  28884. pattern: ^[-._a-zA-Z0-9]+$
  28885. type: string
  28886. name:
  28887. description: The name of the Secret resource being referred to.
  28888. maxLength: 253
  28889. minLength: 1
  28890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28891. type: string
  28892. namespace:
  28893. description: |-
  28894. The namespace of the Secret resource being referred to.
  28895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28896. maxLength: 63
  28897. minLength: 1
  28898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28899. type: string
  28900. type: object
  28901. sessionTokenSecretRef:
  28902. description: |-
  28903. The SessionToken used for authentication
  28904. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28905. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28906. properties:
  28907. key:
  28908. description: |-
  28909. A key in the referenced Secret.
  28910. Some instances of this field may be defaulted, in others it may be required.
  28911. maxLength: 253
  28912. minLength: 1
  28913. pattern: ^[-._a-zA-Z0-9]+$
  28914. type: string
  28915. name:
  28916. description: The name of the Secret resource being referred to.
  28917. maxLength: 253
  28918. minLength: 1
  28919. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28920. type: string
  28921. namespace:
  28922. description: |-
  28923. The namespace of the Secret resource being referred to.
  28924. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28925. maxLength: 63
  28926. minLength: 1
  28927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28928. type: string
  28929. type: object
  28930. type: object
  28931. type: object
  28932. region:
  28933. description: Region specifies the region to operate in.
  28934. type: string
  28935. role:
  28936. description: |-
  28937. You can assume a role before making calls to the
  28938. desired AWS service.
  28939. type: string
  28940. scope:
  28941. description: |-
  28942. Scope specifies the ECR service scope.
  28943. Valid options are private and public.
  28944. type: string
  28945. required:
  28946. - region
  28947. type: object
  28948. type: object
  28949. served: true
  28950. storage: true
  28951. subresources:
  28952. status: {}
  28953. ---
  28954. apiVersion: apiextensions.k8s.io/v1
  28955. kind: CustomResourceDefinition
  28956. metadata:
  28957. annotations:
  28958. controller-gen.kubebuilder.io/version: v0.19.0
  28959. labels:
  28960. external-secrets.io/component: controller
  28961. name: fakes.generators.external-secrets.io
  28962. spec:
  28963. group: generators.external-secrets.io
  28964. names:
  28965. categories:
  28966. - external-secrets
  28967. - external-secrets-generators
  28968. kind: Fake
  28969. listKind: FakeList
  28970. plural: fakes
  28971. singular: fake
  28972. scope: Namespaced
  28973. versions:
  28974. - name: v1alpha1
  28975. schema:
  28976. openAPIV3Schema:
  28977. description: |-
  28978. Fake generator is used for testing. It lets you define
  28979. a static set of credentials that is always returned.
  28980. properties:
  28981. apiVersion:
  28982. description: |-
  28983. APIVersion defines the versioned schema of this representation of an object.
  28984. Servers should convert recognized schemas to the latest internal value, and
  28985. may reject unrecognized values.
  28986. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28987. type: string
  28988. kind:
  28989. description: |-
  28990. Kind is a string value representing the REST resource this object represents.
  28991. Servers may infer this from the endpoint the client submits requests to.
  28992. Cannot be updated.
  28993. In CamelCase.
  28994. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28995. type: string
  28996. metadata:
  28997. type: object
  28998. spec:
  28999. description: FakeSpec contains the static data.
  29000. properties:
  29001. controller:
  29002. description: |-
  29003. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29004. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29005. type: string
  29006. data:
  29007. additionalProperties:
  29008. type: string
  29009. description: |-
  29010. Data defines the static data returned
  29011. by this generator.
  29012. type: object
  29013. type: object
  29014. type: object
  29015. served: true
  29016. storage: true
  29017. subresources:
  29018. status: {}
  29019. ---
  29020. apiVersion: apiextensions.k8s.io/v1
  29021. kind: CustomResourceDefinition
  29022. metadata:
  29023. annotations:
  29024. controller-gen.kubebuilder.io/version: v0.19.0
  29025. labels:
  29026. external-secrets.io/component: controller
  29027. name: gcraccesstokens.generators.external-secrets.io
  29028. spec:
  29029. group: generators.external-secrets.io
  29030. names:
  29031. categories:
  29032. - external-secrets
  29033. - external-secrets-generators
  29034. kind: GCRAccessToken
  29035. listKind: GCRAccessTokenList
  29036. plural: gcraccesstokens
  29037. singular: gcraccesstoken
  29038. scope: Namespaced
  29039. versions:
  29040. - name: v1alpha1
  29041. schema:
  29042. openAPIV3Schema:
  29043. description: |-
  29044. GCRAccessToken generates an GCP access token
  29045. that can be used to authenticate with GCR.
  29046. properties:
  29047. apiVersion:
  29048. description: |-
  29049. APIVersion defines the versioned schema of this representation of an object.
  29050. Servers should convert recognized schemas to the latest internal value, and
  29051. may reject unrecognized values.
  29052. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29053. type: string
  29054. kind:
  29055. description: |-
  29056. Kind is a string value representing the REST resource this object represents.
  29057. Servers may infer this from the endpoint the client submits requests to.
  29058. Cannot be updated.
  29059. In CamelCase.
  29060. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29061. type: string
  29062. metadata:
  29063. type: object
  29064. spec:
  29065. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  29066. properties:
  29067. auth:
  29068. description: Auth defines the means for authenticating with GCP
  29069. properties:
  29070. secretRef:
  29071. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  29072. properties:
  29073. secretAccessKeySecretRef:
  29074. description: The SecretAccessKey is used for authentication
  29075. properties:
  29076. key:
  29077. description: |-
  29078. A key in the referenced Secret.
  29079. Some instances of this field may be defaulted, in others it may be required.
  29080. maxLength: 253
  29081. minLength: 1
  29082. pattern: ^[-._a-zA-Z0-9]+$
  29083. type: string
  29084. name:
  29085. description: The name of the Secret resource being referred to.
  29086. maxLength: 253
  29087. minLength: 1
  29088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29089. type: string
  29090. namespace:
  29091. description: |-
  29092. The namespace of the Secret resource being referred to.
  29093. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29094. maxLength: 63
  29095. minLength: 1
  29096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29097. type: string
  29098. type: object
  29099. type: object
  29100. workloadIdentity:
  29101. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  29102. properties:
  29103. clusterLocation:
  29104. type: string
  29105. clusterName:
  29106. type: string
  29107. clusterProjectID:
  29108. type: string
  29109. serviceAccountRef:
  29110. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29111. properties:
  29112. audiences:
  29113. description: |-
  29114. Audience specifies the `aud` claim for the service account token
  29115. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29116. then this audiences will be appended to the list
  29117. items:
  29118. type: string
  29119. type: array
  29120. name:
  29121. description: The name of the ServiceAccount resource being referred to.
  29122. maxLength: 253
  29123. minLength: 1
  29124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29125. type: string
  29126. namespace:
  29127. description: |-
  29128. Namespace of the resource being referred to.
  29129. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29130. maxLength: 63
  29131. minLength: 1
  29132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29133. type: string
  29134. required:
  29135. - name
  29136. type: object
  29137. required:
  29138. - clusterLocation
  29139. - clusterName
  29140. - serviceAccountRef
  29141. type: object
  29142. workloadIdentityFederation:
  29143. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  29144. properties:
  29145. audience:
  29146. description: |-
  29147. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  29148. If specified, Audience found in the external account credential config will be overridden with the configured value.
  29149. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  29150. type: string
  29151. awsSecurityCredentials:
  29152. description: |-
  29153. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  29154. when using the AWS metadata server is not an option.
  29155. properties:
  29156. awsCredentialsSecretRef:
  29157. description: |-
  29158. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  29159. Secret should be created with below names for keys
  29160. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  29161. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  29162. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  29163. properties:
  29164. name:
  29165. description: name of the secret.
  29166. maxLength: 253
  29167. minLength: 1
  29168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29169. type: string
  29170. namespace:
  29171. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  29172. maxLength: 63
  29173. minLength: 1
  29174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29175. type: string
  29176. required:
  29177. - name
  29178. type: object
  29179. region:
  29180. description: region is for configuring the AWS region to be used.
  29181. example: ap-south-1
  29182. maxLength: 50
  29183. minLength: 1
  29184. pattern: ^[a-z0-9-]+$
  29185. type: string
  29186. required:
  29187. - awsCredentialsSecretRef
  29188. - region
  29189. type: object
  29190. credConfig:
  29191. description: |-
  29192. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  29193. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  29194. serviceAccountRef must be used by providing operators service account details.
  29195. properties:
  29196. key:
  29197. description: key name holding the external account credential config.
  29198. maxLength: 253
  29199. minLength: 1
  29200. pattern: ^[-._a-zA-Z0-9]+$
  29201. type: string
  29202. name:
  29203. description: name of the configmap.
  29204. maxLength: 253
  29205. minLength: 1
  29206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29207. type: string
  29208. namespace:
  29209. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  29210. maxLength: 63
  29211. minLength: 1
  29212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29213. type: string
  29214. required:
  29215. - key
  29216. - name
  29217. type: object
  29218. externalTokenEndpoint:
  29219. description: |-
  29220. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  29221. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  29222. URL is having the expected value.
  29223. type: string
  29224. gcpServiceAccountEmail:
  29225. description: |-
  29226. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  29227. after Workload Identity Federation. Use this to grant access through the service account's
  29228. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  29229. service_account_impersonation_url in the external account JSON from credConfig;
  29230. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  29231. on that ServiceAccount.
  29232. example: my-gsa@my-project.iam.gserviceaccount.com
  29233. minLength: 1
  29234. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  29235. type: string
  29236. serviceAccountRef:
  29237. description: |-
  29238. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  29239. when Kubernetes is configured as provider in workload identity pool.
  29240. properties:
  29241. audiences:
  29242. description: |-
  29243. Audience specifies the `aud` claim for the service account token
  29244. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29245. then this audiences will be appended to the list
  29246. items:
  29247. type: string
  29248. type: array
  29249. name:
  29250. description: The name of the ServiceAccount resource being referred to.
  29251. maxLength: 253
  29252. minLength: 1
  29253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29254. type: string
  29255. namespace:
  29256. description: |-
  29257. Namespace of the resource being referred to.
  29258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29259. maxLength: 63
  29260. minLength: 1
  29261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29262. type: string
  29263. required:
  29264. - name
  29265. type: object
  29266. type: object
  29267. type: object
  29268. projectID:
  29269. description: ProjectID defines which project to use to authenticate with
  29270. type: string
  29271. required:
  29272. - auth
  29273. - projectID
  29274. type: object
  29275. type: object
  29276. served: true
  29277. storage: true
  29278. subresources:
  29279. status: {}
  29280. ---
  29281. apiVersion: apiextensions.k8s.io/v1
  29282. kind: CustomResourceDefinition
  29283. metadata:
  29284. annotations:
  29285. controller-gen.kubebuilder.io/version: v0.19.0
  29286. labels:
  29287. external-secrets.io/component: controller
  29288. name: generatorstates.generators.external-secrets.io
  29289. spec:
  29290. group: generators.external-secrets.io
  29291. names:
  29292. categories:
  29293. - external-secrets
  29294. - external-secrets-generators
  29295. kind: GeneratorState
  29296. listKind: GeneratorStateList
  29297. plural: generatorstates
  29298. shortNames:
  29299. - gs
  29300. singular: generatorstate
  29301. scope: Namespaced
  29302. versions:
  29303. - additionalPrinterColumns:
  29304. - jsonPath: .spec.garbageCollectionDeadline
  29305. name: GC Deadline
  29306. type: string
  29307. - jsonPath: .metadata.creationTimestamp
  29308. name: Age
  29309. type: date
  29310. name: v1alpha1
  29311. schema:
  29312. openAPIV3Schema:
  29313. description: GeneratorState represents the state created and managed by a generator resource.
  29314. properties:
  29315. apiVersion:
  29316. description: |-
  29317. APIVersion defines the versioned schema of this representation of an object.
  29318. Servers should convert recognized schemas to the latest internal value, and
  29319. may reject unrecognized values.
  29320. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29321. type: string
  29322. kind:
  29323. description: |-
  29324. Kind is a string value representing the REST resource this object represents.
  29325. Servers may infer this from the endpoint the client submits requests to.
  29326. Cannot be updated.
  29327. In CamelCase.
  29328. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29329. type: string
  29330. metadata:
  29331. type: object
  29332. spec:
  29333. description: GeneratorStateSpec defines the desired state of a generator state resource.
  29334. properties:
  29335. garbageCollectionDeadline:
  29336. description: |-
  29337. GarbageCollectionDeadline is the time after which the generator state
  29338. will be deleted.
  29339. It is set by the controller which creates the generator state and
  29340. can be set configured by the user.
  29341. If the garbage collection deadline is not set the generator state will not be deleted.
  29342. format: date-time
  29343. type: string
  29344. resource:
  29345. description: |-
  29346. Resource is the generator manifest that produced the state.
  29347. It is a snapshot of the generator manifest at the time the state was produced.
  29348. This manifest will be used to delete the resource. Any configuration that is referenced
  29349. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  29350. be blocked by a finalizer.
  29351. x-kubernetes-preserve-unknown-fields: true
  29352. state:
  29353. description: State is the state that was produced by the generator implementation.
  29354. x-kubernetes-preserve-unknown-fields: true
  29355. required:
  29356. - resource
  29357. - state
  29358. type: object
  29359. status:
  29360. description: GeneratorStateStatus defines the observed state of a generator state resource.
  29361. properties:
  29362. conditions:
  29363. items:
  29364. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  29365. properties:
  29366. lastTransitionTime:
  29367. format: date-time
  29368. type: string
  29369. message:
  29370. type: string
  29371. reason:
  29372. type: string
  29373. status:
  29374. type: string
  29375. type:
  29376. description: GeneratorStateConditionType represents the type of condition for a generator state.
  29377. type: string
  29378. required:
  29379. - status
  29380. - type
  29381. type: object
  29382. type: array
  29383. type: object
  29384. type: object
  29385. served: true
  29386. storage: true
  29387. subresources: {}
  29388. ---
  29389. apiVersion: apiextensions.k8s.io/v1
  29390. kind: CustomResourceDefinition
  29391. metadata:
  29392. annotations:
  29393. controller-gen.kubebuilder.io/version: v0.19.0
  29394. labels:
  29395. external-secrets.io/component: controller
  29396. name: githubaccesstokens.generators.external-secrets.io
  29397. spec:
  29398. group: generators.external-secrets.io
  29399. names:
  29400. categories:
  29401. - external-secrets
  29402. - external-secrets-generators
  29403. kind: GithubAccessToken
  29404. listKind: GithubAccessTokenList
  29405. plural: githubaccesstokens
  29406. singular: githubaccesstoken
  29407. scope: Namespaced
  29408. versions:
  29409. - name: v1alpha1
  29410. schema:
  29411. openAPIV3Schema:
  29412. description: GithubAccessToken generates ghs_ accessToken
  29413. properties:
  29414. apiVersion:
  29415. description: |-
  29416. APIVersion defines the versioned schema of this representation of an object.
  29417. Servers should convert recognized schemas to the latest internal value, and
  29418. may reject unrecognized values.
  29419. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29420. type: string
  29421. kind:
  29422. description: |-
  29423. Kind is a string value representing the REST resource this object represents.
  29424. Servers may infer this from the endpoint the client submits requests to.
  29425. Cannot be updated.
  29426. In CamelCase.
  29427. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29428. type: string
  29429. metadata:
  29430. type: object
  29431. spec:
  29432. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  29433. properties:
  29434. appID:
  29435. type: string
  29436. auth:
  29437. description: Auth configures how ESO authenticates with a Github instance.
  29438. properties:
  29439. privateKey:
  29440. description: GithubSecretRef references a secret containing GitHub credentials.
  29441. properties:
  29442. secretRef:
  29443. description: |-
  29444. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  29445. In some instances, `key` is a required field.
  29446. properties:
  29447. key:
  29448. description: |-
  29449. A key in the referenced Secret.
  29450. Some instances of this field may be defaulted, in others it may be required.
  29451. maxLength: 253
  29452. minLength: 1
  29453. pattern: ^[-._a-zA-Z0-9]+$
  29454. type: string
  29455. name:
  29456. description: The name of the Secret resource being referred to.
  29457. maxLength: 253
  29458. minLength: 1
  29459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29460. type: string
  29461. namespace:
  29462. description: |-
  29463. The namespace of the Secret resource being referred to.
  29464. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29465. maxLength: 63
  29466. minLength: 1
  29467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29468. type: string
  29469. type: object
  29470. required:
  29471. - secretRef
  29472. type: object
  29473. required:
  29474. - privateKey
  29475. type: object
  29476. installID:
  29477. type: string
  29478. permissions:
  29479. additionalProperties:
  29480. type: string
  29481. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  29482. type: object
  29483. repositories:
  29484. description: |-
  29485. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  29486. is installed to.
  29487. items:
  29488. type: string
  29489. type: array
  29490. url:
  29491. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  29492. type: string
  29493. required:
  29494. - appID
  29495. - auth
  29496. - installID
  29497. type: object
  29498. type: object
  29499. served: true
  29500. storage: true
  29501. subresources:
  29502. status: {}
  29503. ---
  29504. apiVersion: apiextensions.k8s.io/v1
  29505. kind: CustomResourceDefinition
  29506. metadata:
  29507. annotations:
  29508. controller-gen.kubebuilder.io/version: v0.19.0
  29509. labels:
  29510. external-secrets.io/component: controller
  29511. name: gitlabdeploytokens.generators.external-secrets.io
  29512. spec:
  29513. group: generators.external-secrets.io
  29514. names:
  29515. categories:
  29516. - external-secrets
  29517. - external-secrets-generators
  29518. kind: GitlabDeployToken
  29519. listKind: GitlabDeployTokenList
  29520. plural: gitlabdeploytokens
  29521. singular: gitlabdeploytoken
  29522. scope: Namespaced
  29523. versions:
  29524. - name: v1alpha1
  29525. schema:
  29526. openAPIV3Schema:
  29527. description: GitlabDeployToken generates a GitLab deploy token.
  29528. properties:
  29529. apiVersion:
  29530. description: |-
  29531. APIVersion defines the versioned schema of this representation of an object.
  29532. Servers should convert recognized schemas to the latest internal value, and
  29533. may reject unrecognized values.
  29534. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29535. type: string
  29536. kind:
  29537. description: |-
  29538. Kind is a string value representing the REST resource this object represents.
  29539. Servers may infer this from the endpoint the client submits requests to.
  29540. Cannot be updated.
  29541. In CamelCase.
  29542. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29543. type: string
  29544. metadata:
  29545. type: object
  29546. spec:
  29547. description: GitlabDeployTokenSpec defines the desired state to generate a GitLab deploy token.
  29548. properties:
  29549. auth:
  29550. description: Auth configures how ESO authenticates with the GitLab API.
  29551. properties:
  29552. token:
  29553. description: |-
  29554. Token references a secret containing a GitLab access token (personal, group, or
  29555. project) with the api scope and at least the Maintainer role on the target.
  29556. properties:
  29557. secretRef:
  29558. description: |-
  29559. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  29560. In some instances, `key` is a required field.
  29561. properties:
  29562. key:
  29563. description: |-
  29564. A key in the referenced Secret.
  29565. Some instances of this field may be defaulted, in others it may be required.
  29566. maxLength: 253
  29567. minLength: 1
  29568. pattern: ^[-._a-zA-Z0-9]+$
  29569. type: string
  29570. name:
  29571. description: The name of the Secret resource being referred to.
  29572. maxLength: 253
  29573. minLength: 1
  29574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29575. type: string
  29576. namespace:
  29577. description: |-
  29578. The namespace of the Secret resource being referred to.
  29579. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29580. maxLength: 63
  29581. minLength: 1
  29582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29583. type: string
  29584. type: object
  29585. required:
  29586. - secretRef
  29587. type: object
  29588. required:
  29589. - token
  29590. type: object
  29591. expiresAt:
  29592. description: |-
  29593. ExpiresAt is an optional expiry for the deploy token. If omitted the token does
  29594. not expire on the GitLab side and is revoked only when the generator state is
  29595. cleaned up (on regeneration or when the consuming ExternalSecret is deleted).
  29596. format: date-time
  29597. type: string
  29598. groupID:
  29599. description: |-
  29600. GroupID is the numeric ID or unescaped path (e.g. parent/group) of the group to
  29601. create the deploy token in. The generator URL-escapes paths before calling the
  29602. GitLab API, so do not pre-encode. Mutually exclusive with projectID.
  29603. minLength: 1
  29604. type: string
  29605. name:
  29606. description: Name of the deploy token.
  29607. minLength: 1
  29608. type: string
  29609. projectID:
  29610. description: |-
  29611. ProjectID is the numeric ID or unescaped path (e.g. group/project) of the
  29612. project to create the deploy token in. The generator URL-escapes paths before
  29613. calling the GitLab API, so do not pre-encode. Mutually exclusive with groupID.
  29614. minLength: 1
  29615. type: string
  29616. scopes:
  29617. description: Scopes granted to the deploy token. At least one scope is required.
  29618. items:
  29619. description: GitlabDeployTokenScope is a scope that can be granted to a GitLab deploy token.
  29620. enum:
  29621. - read_repository
  29622. - read_registry
  29623. - write_registry
  29624. - read_package_registry
  29625. - write_package_registry
  29626. - read_virtual_registry
  29627. - write_virtual_registry
  29628. type: string
  29629. minItems: 1
  29630. type: array
  29631. url:
  29632. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com.
  29633. type: string
  29634. username:
  29635. description: |-
  29636. Username is an optional username for the deploy token. GitLab defaults it to
  29637. gitlab+deploy-token-{n} when omitted.
  29638. type: string
  29639. required:
  29640. - auth
  29641. - name
  29642. - scopes
  29643. type: object
  29644. x-kubernetes-validations:
  29645. - message: exactly one of projectID or groupID must be set
  29646. rule: has(self.projectID) != has(self.groupID)
  29647. type: object
  29648. served: true
  29649. storage: true
  29650. subresources:
  29651. status: {}
  29652. ---
  29653. apiVersion: apiextensions.k8s.io/v1
  29654. kind: CustomResourceDefinition
  29655. metadata:
  29656. annotations:
  29657. controller-gen.kubebuilder.io/version: v0.19.0
  29658. labels:
  29659. external-secrets.io/component: controller
  29660. name: grafanas.generators.external-secrets.io
  29661. spec:
  29662. group: generators.external-secrets.io
  29663. names:
  29664. categories:
  29665. - external-secrets
  29666. - external-secrets-generators
  29667. kind: Grafana
  29668. listKind: GrafanaList
  29669. plural: grafanas
  29670. singular: grafana
  29671. scope: Namespaced
  29672. versions:
  29673. - name: v1alpha1
  29674. schema:
  29675. openAPIV3Schema:
  29676. description: Grafana represents a generator for Grafana service account tokens.
  29677. properties:
  29678. apiVersion:
  29679. description: |-
  29680. APIVersion defines the versioned schema of this representation of an object.
  29681. Servers should convert recognized schemas to the latest internal value, and
  29682. may reject unrecognized values.
  29683. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29684. type: string
  29685. kind:
  29686. description: |-
  29687. Kind is a string value representing the REST resource this object represents.
  29688. Servers may infer this from the endpoint the client submits requests to.
  29689. Cannot be updated.
  29690. In CamelCase.
  29691. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29692. type: string
  29693. metadata:
  29694. type: object
  29695. spec:
  29696. description: GrafanaSpec controls the behavior of the grafana generator.
  29697. properties:
  29698. auth:
  29699. description: |-
  29700. Auth is the authentication configuration to authenticate
  29701. against the Grafana instance.
  29702. properties:
  29703. basic:
  29704. description: |-
  29705. Basic auth credentials used to authenticate against the Grafana instance.
  29706. Note: you need a token which has elevated permissions to create service accounts.
  29707. See here for the documentation on basic roles offered by Grafana:
  29708. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29709. properties:
  29710. password:
  29711. description: A basic auth password used to authenticate against the Grafana instance.
  29712. properties:
  29713. key:
  29714. description: The key where the token is found.
  29715. maxLength: 253
  29716. minLength: 1
  29717. pattern: ^[-._a-zA-Z0-9]+$
  29718. type: string
  29719. name:
  29720. description: The name of the Secret resource being referred to.
  29721. maxLength: 253
  29722. minLength: 1
  29723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29724. type: string
  29725. type: object
  29726. username:
  29727. description: A basic auth username used to authenticate against the Grafana instance.
  29728. type: string
  29729. required:
  29730. - password
  29731. - username
  29732. type: object
  29733. token:
  29734. description: |-
  29735. A service account token used to authenticate against the Grafana instance.
  29736. Note: you need a token which has elevated permissions to create service accounts.
  29737. See here for the documentation on basic roles offered by Grafana:
  29738. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29739. properties:
  29740. key:
  29741. description: The key where the token is found.
  29742. maxLength: 253
  29743. minLength: 1
  29744. pattern: ^[-._a-zA-Z0-9]+$
  29745. type: string
  29746. name:
  29747. description: The name of the Secret resource being referred to.
  29748. maxLength: 253
  29749. minLength: 1
  29750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29751. type: string
  29752. type: object
  29753. type: object
  29754. serviceAccount:
  29755. description: |-
  29756. ServiceAccount is the configuration for the service account that
  29757. is supposed to be generated by the generator.
  29758. properties:
  29759. name:
  29760. description: Name is the name of the service account that will be created by ESO.
  29761. type: string
  29762. role:
  29763. description: |-
  29764. Role is the role of the service account.
  29765. See here for the documentation on basic roles offered by Grafana:
  29766. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29767. type: string
  29768. required:
  29769. - name
  29770. - role
  29771. type: object
  29772. url:
  29773. description: URL is the URL of the Grafana instance.
  29774. type: string
  29775. required:
  29776. - auth
  29777. - serviceAccount
  29778. - url
  29779. type: object
  29780. type: object
  29781. served: true
  29782. storage: true
  29783. subresources:
  29784. status: {}
  29785. ---
  29786. apiVersion: apiextensions.k8s.io/v1
  29787. kind: CustomResourceDefinition
  29788. metadata:
  29789. annotations:
  29790. controller-gen.kubebuilder.io/version: v0.19.0
  29791. labels:
  29792. external-secrets.io/component: controller
  29793. name: mfas.generators.external-secrets.io
  29794. spec:
  29795. group: generators.external-secrets.io
  29796. names:
  29797. categories:
  29798. - external-secrets
  29799. - external-secrets-generators
  29800. kind: MFA
  29801. listKind: MFAList
  29802. plural: mfas
  29803. singular: mfa
  29804. scope: Namespaced
  29805. versions:
  29806. - name: v1alpha1
  29807. schema:
  29808. openAPIV3Schema:
  29809. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  29810. properties:
  29811. apiVersion:
  29812. description: |-
  29813. APIVersion defines the versioned schema of this representation of an object.
  29814. Servers should convert recognized schemas to the latest internal value, and
  29815. may reject unrecognized values.
  29816. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29817. type: string
  29818. kind:
  29819. description: |-
  29820. Kind is a string value representing the REST resource this object represents.
  29821. Servers may infer this from the endpoint the client submits requests to.
  29822. Cannot be updated.
  29823. In CamelCase.
  29824. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29825. type: string
  29826. metadata:
  29827. type: object
  29828. spec:
  29829. description: MFASpec controls the behavior of the mfa generator.
  29830. properties:
  29831. algorithm:
  29832. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  29833. type: string
  29834. length:
  29835. description: Length defines the token length. Defaults to 6 characters.
  29836. type: integer
  29837. secret:
  29838. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  29839. properties:
  29840. key:
  29841. description: |-
  29842. A key in the referenced Secret.
  29843. Some instances of this field may be defaulted, in others it may be required.
  29844. maxLength: 253
  29845. minLength: 1
  29846. pattern: ^[-._a-zA-Z0-9]+$
  29847. type: string
  29848. name:
  29849. description: The name of the Secret resource being referred to.
  29850. maxLength: 253
  29851. minLength: 1
  29852. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29853. type: string
  29854. namespace:
  29855. description: |-
  29856. The namespace of the Secret resource being referred to.
  29857. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29858. maxLength: 63
  29859. minLength: 1
  29860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29861. type: string
  29862. type: object
  29863. timePeriod:
  29864. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  29865. type: integer
  29866. when:
  29867. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  29868. format: date-time
  29869. type: string
  29870. required:
  29871. - secret
  29872. type: object
  29873. type: object
  29874. served: true
  29875. storage: true
  29876. subresources:
  29877. status: {}
  29878. ---
  29879. apiVersion: apiextensions.k8s.io/v1
  29880. kind: CustomResourceDefinition
  29881. metadata:
  29882. annotations:
  29883. controller-gen.kubebuilder.io/version: v0.19.0
  29884. labels:
  29885. external-secrets.io/component: controller
  29886. name: passwords.generators.external-secrets.io
  29887. spec:
  29888. group: generators.external-secrets.io
  29889. names:
  29890. categories:
  29891. - external-secrets
  29892. - external-secrets-generators
  29893. kind: Password
  29894. listKind: PasswordList
  29895. plural: passwords
  29896. singular: password
  29897. scope: Namespaced
  29898. versions:
  29899. - name: v1alpha1
  29900. schema:
  29901. openAPIV3Schema:
  29902. description: |-
  29903. Password generates a random password based on the
  29904. configuration parameters in spec.
  29905. You can specify the length, characterset and other attributes.
  29906. properties:
  29907. apiVersion:
  29908. description: |-
  29909. APIVersion defines the versioned schema of this representation of an object.
  29910. Servers should convert recognized schemas to the latest internal value, and
  29911. may reject unrecognized values.
  29912. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29913. type: string
  29914. kind:
  29915. description: |-
  29916. Kind is a string value representing the REST resource this object represents.
  29917. Servers may infer this from the endpoint the client submits requests to.
  29918. Cannot be updated.
  29919. In CamelCase.
  29920. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29921. type: string
  29922. metadata:
  29923. type: object
  29924. spec:
  29925. description: PasswordSpec controls the behavior of the password generator.
  29926. properties:
  29927. allowRepeat:
  29928. default: false
  29929. description: set AllowRepeat to true to allow repeating characters.
  29930. type: boolean
  29931. digits:
  29932. description: |-
  29933. Digits specifies the number of digits in the generated
  29934. password. If omitted it defaults to 25% of the length of the password
  29935. type: integer
  29936. encoding:
  29937. default: raw
  29938. description: |-
  29939. Encoding specifies the encoding of the generated password.
  29940. Valid values are:
  29941. - "raw" (default): no encoding
  29942. - "base64": standard base64 encoding
  29943. - "base64url": base64url encoding
  29944. - "base32": base32 encoding
  29945. - "hex": hexadecimal encoding
  29946. enum:
  29947. - base64
  29948. - base64url
  29949. - base32
  29950. - hex
  29951. - raw
  29952. type: string
  29953. length:
  29954. default: 24
  29955. description: |-
  29956. Length of the password to be generated.
  29957. Defaults to 24
  29958. type: integer
  29959. noUpper:
  29960. default: false
  29961. description: Set NoUpper to disable uppercase characters
  29962. type: boolean
  29963. secretKeys:
  29964. description: |-
  29965. SecretKeys defines the keys that will be populated with generated passwords.
  29966. Defaults to "password" when not set.
  29967. items:
  29968. type: string
  29969. minItems: 1
  29970. type: array
  29971. symbolCharacters:
  29972. description: |-
  29973. SymbolCharacters specifies the special characters that should be used
  29974. in the generated password.
  29975. type: string
  29976. symbols:
  29977. description: |-
  29978. Symbols specifies the number of symbol characters in the generated
  29979. password. If omitted it defaults to 25% of the length of the password
  29980. type: integer
  29981. required:
  29982. - allowRepeat
  29983. - length
  29984. - noUpper
  29985. type: object
  29986. type: object
  29987. served: true
  29988. storage: true
  29989. subresources:
  29990. status: {}
  29991. ---
  29992. apiVersion: apiextensions.k8s.io/v1
  29993. kind: CustomResourceDefinition
  29994. metadata:
  29995. annotations:
  29996. controller-gen.kubebuilder.io/version: v0.19.0
  29997. labels:
  29998. external-secrets.io/component: controller
  29999. name: quayaccesstokens.generators.external-secrets.io
  30000. spec:
  30001. group: generators.external-secrets.io
  30002. names:
  30003. categories:
  30004. - external-secrets
  30005. - external-secrets-generators
  30006. kind: QuayAccessToken
  30007. listKind: QuayAccessTokenList
  30008. plural: quayaccesstokens
  30009. singular: quayaccesstoken
  30010. scope: Namespaced
  30011. versions:
  30012. - name: v1alpha1
  30013. schema:
  30014. openAPIV3Schema:
  30015. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  30016. properties:
  30017. apiVersion:
  30018. description: |-
  30019. APIVersion defines the versioned schema of this representation of an object.
  30020. Servers should convert recognized schemas to the latest internal value, and
  30021. may reject unrecognized values.
  30022. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30023. type: string
  30024. kind:
  30025. description: |-
  30026. Kind is a string value representing the REST resource this object represents.
  30027. Servers may infer this from the endpoint the client submits requests to.
  30028. Cannot be updated.
  30029. In CamelCase.
  30030. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30031. type: string
  30032. metadata:
  30033. type: object
  30034. spec:
  30035. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  30036. properties:
  30037. robotAccount:
  30038. description: Name of the robot account you are federating with
  30039. type: string
  30040. serviceAccountRef:
  30041. description: Name of the service account you are federating with
  30042. properties:
  30043. audiences:
  30044. description: |-
  30045. Audience specifies the `aud` claim for the service account token
  30046. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30047. then this audiences will be appended to the list
  30048. items:
  30049. type: string
  30050. type: array
  30051. name:
  30052. description: The name of the ServiceAccount resource being referred to.
  30053. maxLength: 253
  30054. minLength: 1
  30055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30056. type: string
  30057. namespace:
  30058. description: |-
  30059. Namespace of the resource being referred to.
  30060. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30061. maxLength: 63
  30062. minLength: 1
  30063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30064. type: string
  30065. required:
  30066. - name
  30067. type: object
  30068. url:
  30069. description: URL configures the Quay instance URL. Defaults to quay.io.
  30070. type: string
  30071. required:
  30072. - robotAccount
  30073. - serviceAccountRef
  30074. type: object
  30075. type: object
  30076. served: true
  30077. storage: true
  30078. subresources:
  30079. status: {}
  30080. ---
  30081. apiVersion: apiextensions.k8s.io/v1
  30082. kind: CustomResourceDefinition
  30083. metadata:
  30084. annotations:
  30085. controller-gen.kubebuilder.io/version: v0.19.0
  30086. labels:
  30087. external-secrets.io/component: controller
  30088. name: sshkeys.generators.external-secrets.io
  30089. spec:
  30090. group: generators.external-secrets.io
  30091. names:
  30092. categories:
  30093. - external-secrets
  30094. - external-secrets-generators
  30095. kind: SSHKey
  30096. listKind: SSHKeyList
  30097. plural: sshkeys
  30098. singular: sshkey
  30099. scope: Namespaced
  30100. versions:
  30101. - name: v1alpha1
  30102. schema:
  30103. openAPIV3Schema:
  30104. description: SSHKey generates SSH key pairs.
  30105. properties:
  30106. apiVersion:
  30107. description: |-
  30108. APIVersion defines the versioned schema of this representation of an object.
  30109. Servers should convert recognized schemas to the latest internal value, and
  30110. may reject unrecognized values.
  30111. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30112. type: string
  30113. kind:
  30114. description: |-
  30115. Kind is a string value representing the REST resource this object represents.
  30116. Servers may infer this from the endpoint the client submits requests to.
  30117. Cannot be updated.
  30118. In CamelCase.
  30119. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30120. type: string
  30121. metadata:
  30122. type: object
  30123. spec:
  30124. description: SSHKeySpec controls the behavior of the ssh key generator.
  30125. properties:
  30126. comment:
  30127. description: Comment specifies an optional comment for the SSH key
  30128. type: string
  30129. keySize:
  30130. description: |-
  30131. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  30132. For RSA keys: 2048, 3072, 4096
  30133. For ECDSA keys: 256, 384, 521
  30134. Ignored for ed25519 keys
  30135. maximum: 8192
  30136. minimum: 256
  30137. type: integer
  30138. keyType:
  30139. default: rsa
  30140. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  30141. enum:
  30142. - rsa
  30143. - ecdsa
  30144. - ed25519
  30145. type: string
  30146. type: object
  30147. type: object
  30148. served: true
  30149. storage: true
  30150. subresources:
  30151. status: {}
  30152. ---
  30153. apiVersion: apiextensions.k8s.io/v1
  30154. kind: CustomResourceDefinition
  30155. metadata:
  30156. annotations:
  30157. controller-gen.kubebuilder.io/version: v0.19.0
  30158. labels:
  30159. external-secrets.io/component: controller
  30160. name: stssessiontokens.generators.external-secrets.io
  30161. spec:
  30162. group: generators.external-secrets.io
  30163. names:
  30164. categories:
  30165. - external-secrets
  30166. - external-secrets-generators
  30167. kind: STSSessionToken
  30168. listKind: STSSessionTokenList
  30169. plural: stssessiontokens
  30170. singular: stssessiontoken
  30171. scope: Namespaced
  30172. versions:
  30173. - name: v1alpha1
  30174. schema:
  30175. openAPIV3Schema:
  30176. description: |-
  30177. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  30178. The authorization token is valid for 12 hours.
  30179. The authorizationToken returned is a base64 encoded string that can be decoded.
  30180. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  30181. properties:
  30182. apiVersion:
  30183. description: |-
  30184. APIVersion defines the versioned schema of this representation of an object.
  30185. Servers should convert recognized schemas to the latest internal value, and
  30186. may reject unrecognized values.
  30187. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30188. type: string
  30189. kind:
  30190. description: |-
  30191. Kind is a string value representing the REST resource this object represents.
  30192. Servers may infer this from the endpoint the client submits requests to.
  30193. Cannot be updated.
  30194. In CamelCase.
  30195. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30196. type: string
  30197. metadata:
  30198. type: object
  30199. spec:
  30200. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  30201. properties:
  30202. auth:
  30203. description: Auth defines how to authenticate with AWS
  30204. properties:
  30205. jwt:
  30206. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  30207. properties:
  30208. serviceAccountRef:
  30209. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30210. properties:
  30211. audiences:
  30212. description: |-
  30213. Audience specifies the `aud` claim for the service account token
  30214. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30215. then this audiences will be appended to the list
  30216. items:
  30217. type: string
  30218. type: array
  30219. name:
  30220. description: The name of the ServiceAccount resource being referred to.
  30221. maxLength: 253
  30222. minLength: 1
  30223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30224. type: string
  30225. namespace:
  30226. description: |-
  30227. Namespace of the resource being referred to.
  30228. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30229. maxLength: 63
  30230. minLength: 1
  30231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30232. type: string
  30233. required:
  30234. - name
  30235. type: object
  30236. type: object
  30237. secretRef:
  30238. description: |-
  30239. AWSAuthSecretRef holds secret references for AWS credentials
  30240. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  30241. properties:
  30242. accessKeyIDSecretRef:
  30243. description: The AccessKeyID is used for authentication
  30244. properties:
  30245. key:
  30246. description: |-
  30247. A key in the referenced Secret.
  30248. Some instances of this field may be defaulted, in others it may be required.
  30249. maxLength: 253
  30250. minLength: 1
  30251. pattern: ^[-._a-zA-Z0-9]+$
  30252. type: string
  30253. name:
  30254. description: The name of the Secret resource being referred to.
  30255. maxLength: 253
  30256. minLength: 1
  30257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30258. type: string
  30259. namespace:
  30260. description: |-
  30261. The namespace of the Secret resource being referred to.
  30262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30263. maxLength: 63
  30264. minLength: 1
  30265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30266. type: string
  30267. type: object
  30268. secretAccessKeySecretRef:
  30269. description: The SecretAccessKey is used for authentication
  30270. properties:
  30271. key:
  30272. description: |-
  30273. A key in the referenced Secret.
  30274. Some instances of this field may be defaulted, in others it may be required.
  30275. maxLength: 253
  30276. minLength: 1
  30277. pattern: ^[-._a-zA-Z0-9]+$
  30278. type: string
  30279. name:
  30280. description: The name of the Secret resource being referred to.
  30281. maxLength: 253
  30282. minLength: 1
  30283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30284. type: string
  30285. namespace:
  30286. description: |-
  30287. The namespace of the Secret resource being referred to.
  30288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30289. maxLength: 63
  30290. minLength: 1
  30291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30292. type: string
  30293. type: object
  30294. sessionTokenSecretRef:
  30295. description: |-
  30296. The SessionToken used for authentication
  30297. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30298. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30299. properties:
  30300. key:
  30301. description: |-
  30302. A key in the referenced Secret.
  30303. Some instances of this field may be defaulted, in others it may be required.
  30304. maxLength: 253
  30305. minLength: 1
  30306. pattern: ^[-._a-zA-Z0-9]+$
  30307. type: string
  30308. name:
  30309. description: The name of the Secret resource being referred to.
  30310. maxLength: 253
  30311. minLength: 1
  30312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30313. type: string
  30314. namespace:
  30315. description: |-
  30316. The namespace of the Secret resource being referred to.
  30317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30318. maxLength: 63
  30319. minLength: 1
  30320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30321. type: string
  30322. type: object
  30323. type: object
  30324. type: object
  30325. region:
  30326. description: Region specifies the region to operate in.
  30327. type: string
  30328. requestParameters:
  30329. description: RequestParameters contains parameters that can be passed to the STS service.
  30330. properties:
  30331. serialNumber:
  30332. description: |-
  30333. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  30334. the GetSessionToken call.
  30335. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  30336. (such as arn:aws:iam::123456789012:mfa/user)
  30337. type: string
  30338. sessionDuration:
  30339. format: int32
  30340. type: integer
  30341. tokenCode:
  30342. description: TokenCode is the value provided by the MFA device, if MFA is required.
  30343. type: string
  30344. type: object
  30345. role:
  30346. description: |-
  30347. You can assume a role before making calls to the
  30348. desired AWS service.
  30349. type: string
  30350. required:
  30351. - region
  30352. type: object
  30353. type: object
  30354. served: true
  30355. storage: true
  30356. subresources:
  30357. status: {}
  30358. ---
  30359. apiVersion: apiextensions.k8s.io/v1
  30360. kind: CustomResourceDefinition
  30361. metadata:
  30362. annotations:
  30363. controller-gen.kubebuilder.io/version: v0.19.0
  30364. labels:
  30365. external-secrets.io/component: controller
  30366. name: uuids.generators.external-secrets.io
  30367. spec:
  30368. group: generators.external-secrets.io
  30369. names:
  30370. categories:
  30371. - external-secrets
  30372. - external-secrets-generators
  30373. kind: UUID
  30374. listKind: UUIDList
  30375. plural: uuids
  30376. singular: uuid
  30377. scope: Namespaced
  30378. versions:
  30379. - name: v1alpha1
  30380. schema:
  30381. openAPIV3Schema:
  30382. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  30383. properties:
  30384. apiVersion:
  30385. description: |-
  30386. APIVersion defines the versioned schema of this representation of an object.
  30387. Servers should convert recognized schemas to the latest internal value, and
  30388. may reject unrecognized values.
  30389. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30390. type: string
  30391. kind:
  30392. description: |-
  30393. Kind is a string value representing the REST resource this object represents.
  30394. Servers may infer this from the endpoint the client submits requests to.
  30395. Cannot be updated.
  30396. In CamelCase.
  30397. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30398. type: string
  30399. metadata:
  30400. type: object
  30401. spec:
  30402. description: UUIDSpec controls the behavior of the uuid generator.
  30403. type: object
  30404. type: object
  30405. served: true
  30406. storage: true
  30407. subresources:
  30408. status: {}
  30409. ---
  30410. apiVersion: apiextensions.k8s.io/v1
  30411. kind: CustomResourceDefinition
  30412. metadata:
  30413. annotations:
  30414. controller-gen.kubebuilder.io/version: v0.19.0
  30415. labels:
  30416. external-secrets.io/component: controller
  30417. name: vaultdynamicsecrets.generators.external-secrets.io
  30418. spec:
  30419. group: generators.external-secrets.io
  30420. names:
  30421. categories:
  30422. - external-secrets
  30423. - external-secrets-generators
  30424. kind: VaultDynamicSecret
  30425. listKind: VaultDynamicSecretList
  30426. plural: vaultdynamicsecrets
  30427. singular: vaultdynamicsecret
  30428. scope: Namespaced
  30429. versions:
  30430. - name: v1alpha1
  30431. schema:
  30432. openAPIV3Schema:
  30433. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  30434. properties:
  30435. apiVersion:
  30436. description: |-
  30437. APIVersion defines the versioned schema of this representation of an object.
  30438. Servers should convert recognized schemas to the latest internal value, and
  30439. may reject unrecognized values.
  30440. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30441. type: string
  30442. kind:
  30443. description: |-
  30444. Kind is a string value representing the REST resource this object represents.
  30445. Servers may infer this from the endpoint the client submits requests to.
  30446. Cannot be updated.
  30447. In CamelCase.
  30448. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30449. type: string
  30450. metadata:
  30451. type: object
  30452. spec:
  30453. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  30454. properties:
  30455. allowEmptyResponse:
  30456. default: false
  30457. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  30458. type: boolean
  30459. controller:
  30460. description: |-
  30461. Used to select the correct ESO controller (think: ingress.ingressClassName)
  30462. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  30463. type: string
  30464. getParameters:
  30465. additionalProperties:
  30466. items:
  30467. type: string
  30468. type: array
  30469. description: |-
  30470. GetParameters are query-string parameters passed to Vault on GET calls.
  30471. Each key may map to multiple values, matching HTTP query-string semantics.
  30472. Ignored for non-GET methods; use Parameters for write bodies.
  30473. type: object
  30474. method:
  30475. description: Vault API method to use (GET/POST/other)
  30476. type: string
  30477. parameters:
  30478. description: Parameters to pass to Vault write (for non-GET methods)
  30479. x-kubernetes-preserve-unknown-fields: true
  30480. path:
  30481. description: Vault path to obtain the dynamic secret from
  30482. type: string
  30483. provider:
  30484. description: Vault provider common spec
  30485. properties:
  30486. auth:
  30487. description: Auth configures how secret-manager authenticates with the Vault server.
  30488. properties:
  30489. appRole:
  30490. description: |-
  30491. AppRole authenticates with Vault using the App Role auth mechanism,
  30492. with the role and secret stored in a Kubernetes Secret resource.
  30493. properties:
  30494. path:
  30495. default: approle
  30496. description: |-
  30497. Path where the App Role authentication backend is mounted
  30498. in Vault, e.g: "approle"
  30499. type: string
  30500. roleId:
  30501. description: |-
  30502. RoleID configured in the App Role authentication backend when setting
  30503. up the authentication backend in Vault.
  30504. type: string
  30505. roleRef:
  30506. description: |-
  30507. Reference to a key in a Secret that contains the App Role ID used
  30508. to authenticate with Vault.
  30509. The `key` field must be specified and denotes which entry within the Secret
  30510. resource is used as the app role id.
  30511. properties:
  30512. key:
  30513. description: |-
  30514. A key in the referenced Secret.
  30515. Some instances of this field may be defaulted, in others it may be required.
  30516. maxLength: 253
  30517. minLength: 1
  30518. pattern: ^[-._a-zA-Z0-9]+$
  30519. type: string
  30520. name:
  30521. description: The name of the Secret resource being referred to.
  30522. maxLength: 253
  30523. minLength: 1
  30524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30525. type: string
  30526. namespace:
  30527. description: |-
  30528. The namespace of the Secret resource being referred to.
  30529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30530. maxLength: 63
  30531. minLength: 1
  30532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30533. type: string
  30534. type: object
  30535. secretRef:
  30536. description: |-
  30537. Reference to a key in a Secret that contains the App Role secret used
  30538. to authenticate with Vault.
  30539. The `key` field must be specified and denotes which entry within the Secret
  30540. resource is used as the app role secret.
  30541. properties:
  30542. key:
  30543. description: |-
  30544. A key in the referenced Secret.
  30545. Some instances of this field may be defaulted, in others it may be required.
  30546. maxLength: 253
  30547. minLength: 1
  30548. pattern: ^[-._a-zA-Z0-9]+$
  30549. type: string
  30550. name:
  30551. description: The name of the Secret resource being referred to.
  30552. maxLength: 253
  30553. minLength: 1
  30554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30555. type: string
  30556. namespace:
  30557. description: |-
  30558. The namespace of the Secret resource being referred to.
  30559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30560. maxLength: 63
  30561. minLength: 1
  30562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30563. type: string
  30564. type: object
  30565. required:
  30566. - path
  30567. - secretRef
  30568. type: object
  30569. cert:
  30570. description: |-
  30571. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  30572. Cert authentication method
  30573. properties:
  30574. clientCert:
  30575. description: |-
  30576. ClientCert is a certificate to authenticate using the Cert Vault
  30577. authentication method
  30578. properties:
  30579. key:
  30580. description: |-
  30581. A key in the referenced Secret.
  30582. Some instances of this field may be defaulted, in others it may be required.
  30583. maxLength: 253
  30584. minLength: 1
  30585. pattern: ^[-._a-zA-Z0-9]+$
  30586. type: string
  30587. name:
  30588. description: The name of the Secret resource being referred to.
  30589. maxLength: 253
  30590. minLength: 1
  30591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30592. type: string
  30593. namespace:
  30594. description: |-
  30595. The namespace of the Secret resource being referred to.
  30596. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30597. maxLength: 63
  30598. minLength: 1
  30599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30600. type: string
  30601. type: object
  30602. path:
  30603. default: cert
  30604. description: |-
  30605. Path where the Certificate authentication backend is mounted
  30606. in Vault, e.g: "cert"
  30607. type: string
  30608. secretRef:
  30609. description: |-
  30610. SecretRef to a key in a Secret resource containing client private key to
  30611. authenticate with Vault using the Cert authentication method
  30612. properties:
  30613. key:
  30614. description: |-
  30615. A key in the referenced Secret.
  30616. Some instances of this field may be defaulted, in others it may be required.
  30617. maxLength: 253
  30618. minLength: 1
  30619. pattern: ^[-._a-zA-Z0-9]+$
  30620. type: string
  30621. name:
  30622. description: The name of the Secret resource being referred to.
  30623. maxLength: 253
  30624. minLength: 1
  30625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30626. type: string
  30627. namespace:
  30628. description: |-
  30629. The namespace of the Secret resource being referred to.
  30630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30631. maxLength: 63
  30632. minLength: 1
  30633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30634. type: string
  30635. type: object
  30636. vaultRole:
  30637. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  30638. type: string
  30639. type: object
  30640. gcp:
  30641. description: |-
  30642. Gcp authenticates with Vault using Google Cloud Platform authentication method
  30643. GCP authentication method
  30644. properties:
  30645. location:
  30646. description: Location optionally defines a location/region for the secret
  30647. type: string
  30648. path:
  30649. default: gcp
  30650. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  30651. type: string
  30652. projectID:
  30653. description: Project ID of the Google Cloud Platform project
  30654. type: string
  30655. role:
  30656. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  30657. type: string
  30658. secretRef:
  30659. description: Specify credentials in a Secret object
  30660. properties:
  30661. secretAccessKeySecretRef:
  30662. description: The SecretAccessKey is used for authentication
  30663. properties:
  30664. key:
  30665. description: |-
  30666. A key in the referenced Secret.
  30667. Some instances of this field may be defaulted, in others it may be required.
  30668. maxLength: 253
  30669. minLength: 1
  30670. pattern: ^[-._a-zA-Z0-9]+$
  30671. type: string
  30672. name:
  30673. description: The name of the Secret resource being referred to.
  30674. maxLength: 253
  30675. minLength: 1
  30676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30677. type: string
  30678. namespace:
  30679. description: |-
  30680. The namespace of the Secret resource being referred to.
  30681. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30682. maxLength: 63
  30683. minLength: 1
  30684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30685. type: string
  30686. type: object
  30687. type: object
  30688. serviceAccountRef:
  30689. description: ServiceAccountRef to a service account for impersonation
  30690. properties:
  30691. audiences:
  30692. description: |-
  30693. Audience specifies the `aud` claim for the service account token
  30694. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30695. then this audiences will be appended to the list
  30696. items:
  30697. type: string
  30698. type: array
  30699. name:
  30700. description: The name of the ServiceAccount resource being referred to.
  30701. maxLength: 253
  30702. minLength: 1
  30703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30704. type: string
  30705. namespace:
  30706. description: |-
  30707. Namespace of the resource being referred to.
  30708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30709. maxLength: 63
  30710. minLength: 1
  30711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30712. type: string
  30713. required:
  30714. - name
  30715. type: object
  30716. workloadIdentity:
  30717. description: Specify a service account with Workload Identity
  30718. properties:
  30719. clusterLocation:
  30720. description: |-
  30721. ClusterLocation is the location of the cluster
  30722. If not specified, it fetches information from the metadata server
  30723. type: string
  30724. clusterName:
  30725. description: |-
  30726. ClusterName is the name of the cluster
  30727. If not specified, it fetches information from the metadata server
  30728. type: string
  30729. clusterProjectID:
  30730. description: |-
  30731. ClusterProjectID is the project ID of the cluster
  30732. If not specified, it fetches information from the metadata server
  30733. type: string
  30734. serviceAccountRef:
  30735. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30736. properties:
  30737. audiences:
  30738. description: |-
  30739. Audience specifies the `aud` claim for the service account token
  30740. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30741. then this audiences will be appended to the list
  30742. items:
  30743. type: string
  30744. type: array
  30745. name:
  30746. description: The name of the ServiceAccount resource being referred to.
  30747. maxLength: 253
  30748. minLength: 1
  30749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30750. type: string
  30751. namespace:
  30752. description: |-
  30753. Namespace of the resource being referred to.
  30754. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30755. maxLength: 63
  30756. minLength: 1
  30757. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30758. type: string
  30759. required:
  30760. - name
  30761. type: object
  30762. required:
  30763. - serviceAccountRef
  30764. type: object
  30765. required:
  30766. - role
  30767. type: object
  30768. iam:
  30769. description: |-
  30770. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  30771. AWS IAM authentication method
  30772. properties:
  30773. externalID:
  30774. description: AWS External ID set on assumed IAM roles
  30775. type: string
  30776. jwt:
  30777. description: Specify a service account with IRSA enabled
  30778. properties:
  30779. serviceAccountRef:
  30780. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30781. properties:
  30782. audiences:
  30783. description: |-
  30784. Audience specifies the `aud` claim for the service account token
  30785. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30786. then this audiences will be appended to the list
  30787. items:
  30788. type: string
  30789. type: array
  30790. name:
  30791. description: The name of the ServiceAccount resource being referred to.
  30792. maxLength: 253
  30793. minLength: 1
  30794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30795. type: string
  30796. namespace:
  30797. description: |-
  30798. Namespace of the resource being referred to.
  30799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30800. maxLength: 63
  30801. minLength: 1
  30802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30803. type: string
  30804. required:
  30805. - name
  30806. type: object
  30807. type: object
  30808. path:
  30809. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  30810. type: string
  30811. region:
  30812. description: AWS region
  30813. type: string
  30814. role:
  30815. description: This is the AWS role to be assumed before talking to vault
  30816. type: string
  30817. secretRef:
  30818. description: Specify credentials in a Secret object
  30819. properties:
  30820. accessKeyIDSecretRef:
  30821. description: The AccessKeyID is used for authentication
  30822. properties:
  30823. key:
  30824. description: |-
  30825. A key in the referenced Secret.
  30826. Some instances of this field may be defaulted, in others it may be required.
  30827. maxLength: 253
  30828. minLength: 1
  30829. pattern: ^[-._a-zA-Z0-9]+$
  30830. type: string
  30831. name:
  30832. description: The name of the Secret resource being referred to.
  30833. maxLength: 253
  30834. minLength: 1
  30835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30836. type: string
  30837. namespace:
  30838. description: |-
  30839. The namespace of the Secret resource being referred to.
  30840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30841. maxLength: 63
  30842. minLength: 1
  30843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30844. type: string
  30845. type: object
  30846. secretAccessKeySecretRef:
  30847. description: The SecretAccessKey is used for authentication
  30848. properties:
  30849. key:
  30850. description: |-
  30851. A key in the referenced Secret.
  30852. Some instances of this field may be defaulted, in others it may be required.
  30853. maxLength: 253
  30854. minLength: 1
  30855. pattern: ^[-._a-zA-Z0-9]+$
  30856. type: string
  30857. name:
  30858. description: The name of the Secret resource being referred to.
  30859. maxLength: 253
  30860. minLength: 1
  30861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30862. type: string
  30863. namespace:
  30864. description: |-
  30865. The namespace of the Secret resource being referred to.
  30866. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30867. maxLength: 63
  30868. minLength: 1
  30869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30870. type: string
  30871. type: object
  30872. sessionTokenSecretRef:
  30873. description: |-
  30874. The SessionToken used for authentication
  30875. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30876. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30877. properties:
  30878. key:
  30879. description: |-
  30880. A key in the referenced Secret.
  30881. Some instances of this field may be defaulted, in others it may be required.
  30882. maxLength: 253
  30883. minLength: 1
  30884. pattern: ^[-._a-zA-Z0-9]+$
  30885. type: string
  30886. name:
  30887. description: The name of the Secret resource being referred to.
  30888. maxLength: 253
  30889. minLength: 1
  30890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30891. type: string
  30892. namespace:
  30893. description: |-
  30894. The namespace of the Secret resource being referred to.
  30895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30896. maxLength: 63
  30897. minLength: 1
  30898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30899. type: string
  30900. type: object
  30901. type: object
  30902. vaultAwsIamServerID:
  30903. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  30904. type: string
  30905. vaultRole:
  30906. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  30907. type: string
  30908. required:
  30909. - vaultRole
  30910. type: object
  30911. jwt:
  30912. description: |-
  30913. Jwt authenticates with Vault by passing role and JWT token using the
  30914. JWT/OIDC authentication method
  30915. properties:
  30916. kubernetesServiceAccountToken:
  30917. description: |-
  30918. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  30919. a token for with the `TokenRequest` API.
  30920. properties:
  30921. audiences:
  30922. description: |-
  30923. Optional audiences field that will be used to request a temporary Kubernetes service
  30924. account token for the service account referenced by `serviceAccountRef`.
  30925. Defaults to a single audience `vault` it not specified.
  30926. Deprecated: use serviceAccountRef.Audiences instead
  30927. items:
  30928. type: string
  30929. type: array
  30930. expirationSeconds:
  30931. description: |-
  30932. Optional expiration time in seconds that will be used to request a temporary
  30933. Kubernetes service account token for the service account referenced by
  30934. `serviceAccountRef`.
  30935. Deprecated: this will be removed in the future.
  30936. Defaults to 10 minutes.
  30937. format: int64
  30938. type: integer
  30939. serviceAccountRef:
  30940. description: Service account field containing the name of a kubernetes ServiceAccount.
  30941. properties:
  30942. audiences:
  30943. description: |-
  30944. Audience specifies the `aud` claim for the service account token
  30945. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30946. then this audiences will be appended to the list
  30947. items:
  30948. type: string
  30949. type: array
  30950. name:
  30951. description: The name of the ServiceAccount resource being referred to.
  30952. maxLength: 253
  30953. minLength: 1
  30954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30955. type: string
  30956. namespace:
  30957. description: |-
  30958. Namespace of the resource being referred to.
  30959. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30960. maxLength: 63
  30961. minLength: 1
  30962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30963. type: string
  30964. required:
  30965. - name
  30966. type: object
  30967. required:
  30968. - serviceAccountRef
  30969. type: object
  30970. path:
  30971. default: jwt
  30972. description: |-
  30973. Path where the JWT authentication backend is mounted
  30974. in Vault, e.g: "jwt"
  30975. type: string
  30976. role:
  30977. description: |-
  30978. Role is a JWT role to authenticate using the JWT/OIDC Vault
  30979. authentication method
  30980. type: string
  30981. secretRef:
  30982. description: |-
  30983. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  30984. authenticate with Vault using the JWT/OIDC authentication method.
  30985. properties:
  30986. key:
  30987. description: |-
  30988. A key in the referenced Secret.
  30989. Some instances of this field may be defaulted, in others it may be required.
  30990. maxLength: 253
  30991. minLength: 1
  30992. pattern: ^[-._a-zA-Z0-9]+$
  30993. type: string
  30994. name:
  30995. description: The name of the Secret resource being referred to.
  30996. maxLength: 253
  30997. minLength: 1
  30998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30999. type: string
  31000. namespace:
  31001. description: |-
  31002. The namespace of the Secret resource being referred to.
  31003. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31004. maxLength: 63
  31005. minLength: 1
  31006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31007. type: string
  31008. type: object
  31009. required:
  31010. - path
  31011. type: object
  31012. kubernetes:
  31013. description: |-
  31014. Kubernetes authenticates with Vault by passing the ServiceAccount
  31015. token stored in the named Secret resource to the Vault server.
  31016. properties:
  31017. mountPath:
  31018. default: kubernetes
  31019. description: |-
  31020. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  31021. "kubernetes"
  31022. type: string
  31023. role:
  31024. description: |-
  31025. A required field containing the Vault Role to assume. A Role binds a
  31026. Kubernetes ServiceAccount with a set of Vault policies.
  31027. type: string
  31028. secretRef:
  31029. description: |-
  31030. Optional secret field containing a Kubernetes ServiceAccount JWT used
  31031. for authenticating with Vault. If a name is specified without a key,
  31032. `token` is the default. If one is not specified, the one bound to
  31033. the controller will be used.
  31034. properties:
  31035. key:
  31036. description: |-
  31037. A key in the referenced Secret.
  31038. Some instances of this field may be defaulted, in others it may be required.
  31039. maxLength: 253
  31040. minLength: 1
  31041. pattern: ^[-._a-zA-Z0-9]+$
  31042. type: string
  31043. name:
  31044. description: The name of the Secret resource being referred to.
  31045. maxLength: 253
  31046. minLength: 1
  31047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31048. type: string
  31049. namespace:
  31050. description: |-
  31051. The namespace of the Secret resource being referred to.
  31052. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31053. maxLength: 63
  31054. minLength: 1
  31055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31056. type: string
  31057. type: object
  31058. serviceAccountRef:
  31059. description: |-
  31060. Optional service account field containing the name of a kubernetes ServiceAccount.
  31061. If the service account is specified, the service account secret token JWT will be used
  31062. for authenticating with Vault. If the service account selector is not supplied,
  31063. the secretRef will be used instead.
  31064. properties:
  31065. audiences:
  31066. description: |-
  31067. Audience specifies the `aud` claim for the service account token
  31068. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  31069. then this audiences will be appended to the list
  31070. items:
  31071. type: string
  31072. type: array
  31073. name:
  31074. description: The name of the ServiceAccount resource being referred to.
  31075. maxLength: 253
  31076. minLength: 1
  31077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31078. type: string
  31079. namespace:
  31080. description: |-
  31081. Namespace of the resource being referred to.
  31082. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31083. maxLength: 63
  31084. minLength: 1
  31085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31086. type: string
  31087. required:
  31088. - name
  31089. type: object
  31090. required:
  31091. - mountPath
  31092. - role
  31093. type: object
  31094. ldap:
  31095. description: |-
  31096. Ldap authenticates with Vault by passing username/password pair using
  31097. the LDAP authentication method
  31098. properties:
  31099. path:
  31100. default: ldap
  31101. description: |-
  31102. Path where the LDAP authentication backend is mounted
  31103. in Vault, e.g: "ldap"
  31104. type: string
  31105. secretRef:
  31106. description: |-
  31107. SecretRef to a key in a Secret resource containing password for the LDAP
  31108. user used to authenticate with Vault using the LDAP authentication
  31109. method
  31110. properties:
  31111. key:
  31112. description: |-
  31113. A key in the referenced Secret.
  31114. Some instances of this field may be defaulted, in others it may be required.
  31115. maxLength: 253
  31116. minLength: 1
  31117. pattern: ^[-._a-zA-Z0-9]+$
  31118. type: string
  31119. name:
  31120. description: The name of the Secret resource being referred to.
  31121. maxLength: 253
  31122. minLength: 1
  31123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31124. type: string
  31125. namespace:
  31126. description: |-
  31127. The namespace of the Secret resource being referred to.
  31128. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31129. maxLength: 63
  31130. minLength: 1
  31131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31132. type: string
  31133. type: object
  31134. username:
  31135. description: |-
  31136. Username is an LDAP username used to authenticate using the LDAP Vault
  31137. authentication method
  31138. type: string
  31139. required:
  31140. - path
  31141. - username
  31142. type: object
  31143. namespace:
  31144. description: |-
  31145. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  31146. Namespaces is a set of features within Vault Enterprise that allows
  31147. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31148. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31149. This will default to Vault.Namespace field if set, or empty otherwise
  31150. type: string
  31151. tokenSecretRef:
  31152. description: TokenSecretRef authenticates with Vault by presenting a token.
  31153. properties:
  31154. key:
  31155. description: |-
  31156. A key in the referenced Secret.
  31157. Some instances of this field may be defaulted, in others it may be required.
  31158. maxLength: 253
  31159. minLength: 1
  31160. pattern: ^[-._a-zA-Z0-9]+$
  31161. type: string
  31162. name:
  31163. description: The name of the Secret resource being referred to.
  31164. maxLength: 253
  31165. minLength: 1
  31166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31167. type: string
  31168. namespace:
  31169. description: |-
  31170. The namespace of the Secret resource being referred to.
  31171. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31172. maxLength: 63
  31173. minLength: 1
  31174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31175. type: string
  31176. type: object
  31177. userPass:
  31178. description: UserPass authenticates with Vault by passing username/password pair
  31179. properties:
  31180. path:
  31181. default: userpass
  31182. description: |-
  31183. Path where the UserPassword authentication backend is mounted
  31184. in Vault, e.g: "userpass"
  31185. type: string
  31186. secretRef:
  31187. description: |-
  31188. SecretRef to a key in a Secret resource containing password for the
  31189. user used to authenticate with Vault using the UserPass authentication
  31190. method
  31191. properties:
  31192. key:
  31193. description: |-
  31194. A key in the referenced Secret.
  31195. Some instances of this field may be defaulted, in others it may be required.
  31196. maxLength: 253
  31197. minLength: 1
  31198. pattern: ^[-._a-zA-Z0-9]+$
  31199. type: string
  31200. name:
  31201. description: The name of the Secret resource being referred to.
  31202. maxLength: 253
  31203. minLength: 1
  31204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31205. type: string
  31206. namespace:
  31207. description: |-
  31208. The namespace of the Secret resource being referred to.
  31209. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31210. maxLength: 63
  31211. minLength: 1
  31212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31213. type: string
  31214. type: object
  31215. username:
  31216. description: |-
  31217. Username is a username used to authenticate using the UserPass Vault
  31218. authentication method
  31219. type: string
  31220. required:
  31221. - path
  31222. - username
  31223. type: object
  31224. type: object
  31225. caBundle:
  31226. description: |-
  31227. PEM encoded CA bundle used to validate Vault server certificate. Only used
  31228. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31229. plain HTTP protocol connection. If not set the system root certificates
  31230. are used to validate the TLS connection.
  31231. format: byte
  31232. type: string
  31233. caProvider:
  31234. description: The provider for the CA bundle to use to validate Vault server certificate.
  31235. properties:
  31236. key:
  31237. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31238. maxLength: 253
  31239. minLength: 1
  31240. pattern: ^[-._a-zA-Z0-9]+$
  31241. type: string
  31242. name:
  31243. description: The name of the object located at the provider type.
  31244. maxLength: 253
  31245. minLength: 1
  31246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31247. type: string
  31248. namespace:
  31249. description: |-
  31250. The namespace the Provider type is in.
  31251. Can only be defined when used in a ClusterSecretStore.
  31252. maxLength: 63
  31253. minLength: 1
  31254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31255. type: string
  31256. type:
  31257. description: The type of provider to use such as "Secret", or "ConfigMap".
  31258. enum:
  31259. - Secret
  31260. - ConfigMap
  31261. type: string
  31262. required:
  31263. - name
  31264. - type
  31265. type: object
  31266. checkAndSet:
  31267. description: |-
  31268. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  31269. Only applies to Vault KV v2 stores. When enabled, write operations must include
  31270. the current version of the secret to prevent unintentional overwrites.
  31271. properties:
  31272. required:
  31273. description: |-
  31274. Required when true, all write operations must include a check-and-set parameter.
  31275. This helps prevent unintentional overwrites of secrets.
  31276. type: boolean
  31277. type: object
  31278. forwardInconsistent:
  31279. description: |-
  31280. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  31281. leader instead of simply retrying within a loop. This can increase performance if
  31282. the option is enabled serverside.
  31283. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  31284. type: boolean
  31285. headers:
  31286. additionalProperties:
  31287. type: string
  31288. description: Headers to be added in Vault request
  31289. type: object
  31290. namespace:
  31291. description: |-
  31292. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  31293. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31294. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31295. type: string
  31296. path:
  31297. description: |-
  31298. Path is the mount path of the Vault KV backend endpoint, e.g:
  31299. "secret". The v2 KV secret engine version specific "/data" path suffix
  31300. for fetching secrets from Vault is optional and will be appended
  31301. if not present in specified path.
  31302. type: string
  31303. readYourWrites:
  31304. description: |-
  31305. ReadYourWrites ensures isolated read-after-write semantics by
  31306. providing discovered cluster replication states in each request.
  31307. More information about eventual consistency in Vault can be found here
  31308. https://www.vaultproject.io/docs/enterprise/consistency
  31309. type: boolean
  31310. server:
  31311. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  31312. type: string
  31313. tls:
  31314. description: |-
  31315. The configuration used for client side related TLS communication, when the Vault server
  31316. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  31317. This parameter is ignored for plain HTTP protocol connection.
  31318. It's worth noting this configuration is different from the "TLS certificates auth method",
  31319. which is available under the `auth.cert` section.
  31320. properties:
  31321. certSecretRef:
  31322. description: |-
  31323. CertSecretRef is a certificate added to the transport layer
  31324. when communicating with the Vault server.
  31325. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  31326. properties:
  31327. key:
  31328. description: |-
  31329. A key in the referenced Secret.
  31330. Some instances of this field may be defaulted, in others it may be required.
  31331. maxLength: 253
  31332. minLength: 1
  31333. pattern: ^[-._a-zA-Z0-9]+$
  31334. type: string
  31335. name:
  31336. description: The name of the Secret resource being referred to.
  31337. maxLength: 253
  31338. minLength: 1
  31339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31340. type: string
  31341. namespace:
  31342. description: |-
  31343. The namespace of the Secret resource being referred to.
  31344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31345. maxLength: 63
  31346. minLength: 1
  31347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31348. type: string
  31349. type: object
  31350. keySecretRef:
  31351. description: |-
  31352. KeySecretRef to a key in a Secret resource containing client private key
  31353. added to the transport layer when communicating with the Vault server.
  31354. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  31355. properties:
  31356. key:
  31357. description: |-
  31358. A key in the referenced Secret.
  31359. Some instances of this field may be defaulted, in others it may be required.
  31360. maxLength: 253
  31361. minLength: 1
  31362. pattern: ^[-._a-zA-Z0-9]+$
  31363. type: string
  31364. name:
  31365. description: The name of the Secret resource being referred to.
  31366. maxLength: 253
  31367. minLength: 1
  31368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31369. type: string
  31370. namespace:
  31371. description: |-
  31372. The namespace of the Secret resource being referred to.
  31373. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31374. maxLength: 63
  31375. minLength: 1
  31376. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31377. type: string
  31378. type: object
  31379. type: object
  31380. version:
  31381. default: v2
  31382. description: |-
  31383. Version is the Vault KV secret engine version. This can be either "v1" or
  31384. "v2". Version defaults to "v2".
  31385. enum:
  31386. - v1
  31387. - v2
  31388. type: string
  31389. required:
  31390. - server
  31391. type: object
  31392. resultType:
  31393. default: Data
  31394. description: |-
  31395. Result type defines which data is returned from the generator.
  31396. By default, it is the "data" section of the Vault API response.
  31397. When using e.g. /auth/token/create the "data" section is empty but
  31398. the "auth" section contains the generated token.
  31399. Please refer to the vault docs regarding the result data structure.
  31400. Additionally, accessing the raw response is possibly by using "Raw" result type.
  31401. enum:
  31402. - Data
  31403. - Auth
  31404. - Raw
  31405. type: string
  31406. retrySettings:
  31407. description: Used to configure http retries if failed
  31408. properties:
  31409. maxRetries:
  31410. format: int32
  31411. type: integer
  31412. retryInterval:
  31413. type: string
  31414. type: object
  31415. required:
  31416. - path
  31417. - provider
  31418. type: object
  31419. type: object
  31420. served: true
  31421. storage: true
  31422. subresources:
  31423. status: {}
  31424. ---
  31425. apiVersion: apiextensions.k8s.io/v1
  31426. kind: CustomResourceDefinition
  31427. metadata:
  31428. annotations:
  31429. controller-gen.kubebuilder.io/version: v0.19.0
  31430. labels:
  31431. external-secrets.io/component: controller
  31432. name: webhooks.generators.external-secrets.io
  31433. spec:
  31434. group: generators.external-secrets.io
  31435. names:
  31436. categories:
  31437. - external-secrets
  31438. - external-secrets-generators
  31439. kind: Webhook
  31440. listKind: WebhookList
  31441. plural: webhooks
  31442. singular: webhook
  31443. scope: Namespaced
  31444. versions:
  31445. - name: v1alpha1
  31446. schema:
  31447. openAPIV3Schema:
  31448. description: |-
  31449. Webhook connects to a third party API server to handle the secrets generation
  31450. configuration parameters in spec.
  31451. You can specify the server, the token, and additional body parameters.
  31452. See documentation for the full API specification for requests and responses.
  31453. properties:
  31454. apiVersion:
  31455. description: |-
  31456. APIVersion defines the versioned schema of this representation of an object.
  31457. Servers should convert recognized schemas to the latest internal value, and
  31458. may reject unrecognized values.
  31459. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31460. type: string
  31461. kind:
  31462. description: |-
  31463. Kind is a string value representing the REST resource this object represents.
  31464. Servers may infer this from the endpoint the client submits requests to.
  31465. Cannot be updated.
  31466. In CamelCase.
  31467. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31468. type: string
  31469. metadata:
  31470. type: object
  31471. spec:
  31472. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  31473. properties:
  31474. auth:
  31475. description: Auth specifies a authorization protocol. Only one protocol may be set.
  31476. maxProperties: 1
  31477. minProperties: 1
  31478. properties:
  31479. ntlm:
  31480. description: NTLMProtocol configures the store to use NTLM for auth
  31481. properties:
  31482. passwordSecret:
  31483. description: |-
  31484. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31485. In some instances, `key` is a required field.
  31486. properties:
  31487. key:
  31488. description: |-
  31489. A key in the referenced Secret.
  31490. Some instances of this field may be defaulted, in others it may be required.
  31491. maxLength: 253
  31492. minLength: 1
  31493. pattern: ^[-._a-zA-Z0-9]+$
  31494. type: string
  31495. name:
  31496. description: The name of the Secret resource being referred to.
  31497. maxLength: 253
  31498. minLength: 1
  31499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31500. type: string
  31501. namespace:
  31502. description: |-
  31503. The namespace of the Secret resource being referred to.
  31504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31505. maxLength: 63
  31506. minLength: 1
  31507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31508. type: string
  31509. type: object
  31510. usernameSecret:
  31511. description: |-
  31512. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31513. In some instances, `key` is a required field.
  31514. properties:
  31515. key:
  31516. description: |-
  31517. A key in the referenced Secret.
  31518. Some instances of this field may be defaulted, in others it may be required.
  31519. maxLength: 253
  31520. minLength: 1
  31521. pattern: ^[-._a-zA-Z0-9]+$
  31522. type: string
  31523. name:
  31524. description: The name of the Secret resource being referred to.
  31525. maxLength: 253
  31526. minLength: 1
  31527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31528. type: string
  31529. namespace:
  31530. description: |-
  31531. The namespace of the Secret resource being referred to.
  31532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31533. maxLength: 63
  31534. minLength: 1
  31535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31536. type: string
  31537. type: object
  31538. required:
  31539. - passwordSecret
  31540. - usernameSecret
  31541. type: object
  31542. type: object
  31543. body:
  31544. description: Body
  31545. type: string
  31546. caBundle:
  31547. description: |-
  31548. PEM encoded CA bundle used to validate webhook server certificate. Only used
  31549. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31550. plain HTTP protocol connection. If not set the system root certificates
  31551. are used to validate the TLS connection.
  31552. format: byte
  31553. type: string
  31554. caProvider:
  31555. description: The provider for the CA bundle to use to validate webhook server certificate.
  31556. properties:
  31557. key:
  31558. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31559. maxLength: 253
  31560. minLength: 1
  31561. pattern: ^[-._a-zA-Z0-9]+$
  31562. type: string
  31563. name:
  31564. description: The name of the object located at the provider type.
  31565. maxLength: 253
  31566. minLength: 1
  31567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31568. type: string
  31569. namespace:
  31570. description: The namespace the Provider type is in.
  31571. maxLength: 63
  31572. minLength: 1
  31573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31574. type: string
  31575. type:
  31576. description: The type of provider to use such as "Secret", or "ConfigMap".
  31577. enum:
  31578. - Secret
  31579. - ConfigMap
  31580. type: string
  31581. required:
  31582. - name
  31583. - type
  31584. type: object
  31585. headers:
  31586. additionalProperties:
  31587. type: string
  31588. description: Headers
  31589. type: object
  31590. method:
  31591. description: Webhook Method
  31592. type: string
  31593. result:
  31594. description: Result formatting
  31595. properties:
  31596. jsonPath:
  31597. description: Json path of return value
  31598. type: string
  31599. type: object
  31600. secrets:
  31601. description: |-
  31602. Secrets to fill in templates
  31603. These secrets will be passed to the templating function as key value pairs under the given name
  31604. items:
  31605. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  31606. properties:
  31607. name:
  31608. description: Name of this secret in templates
  31609. type: string
  31610. secretRef:
  31611. description: Secret ref to fill in credentials
  31612. properties:
  31613. key:
  31614. description: The key where the token is found.
  31615. maxLength: 253
  31616. minLength: 1
  31617. pattern: ^[-._a-zA-Z0-9]+$
  31618. type: string
  31619. name:
  31620. description: The name of the Secret resource being referred to.
  31621. maxLength: 253
  31622. minLength: 1
  31623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31624. type: string
  31625. type: object
  31626. required:
  31627. - name
  31628. - secretRef
  31629. type: object
  31630. type: array
  31631. timeout:
  31632. description: Timeout
  31633. type: string
  31634. url:
  31635. description: Webhook url to call
  31636. type: string
  31637. required:
  31638. - result
  31639. - url
  31640. type: object
  31641. type: object
  31642. served: true
  31643. storage: true
  31644. subresources:
  31645. status: {}