external-secrets.io_externalsecrets.yaml 67 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: externalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ExternalSecret
  15. listKind: ExternalSecretList
  16. plural: externalsecrets
  17. shortNames:
  18. - es
  19. singular: externalsecret
  20. scope: Namespaced
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.secretStoreRef.kind
  24. name: StoreType
  25. type: string
  26. - jsonPath: .spec.secretStoreRef.name
  27. name: Store
  28. type: string
  29. - jsonPath: .spec.refreshInterval
  30. name: Refresh Interval
  31. type: string
  32. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  33. name: Status
  34. type: string
  35. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  36. name: Ready
  37. type: string
  38. - jsonPath: .status.refreshTime
  39. name: Last Sync
  40. type: date
  41. name: v1
  42. schema:
  43. openAPIV3Schema:
  44. description: |-
  45. ExternalSecret is the Schema for the external-secrets API.
  46. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  47. properties:
  48. apiVersion:
  49. description: |-
  50. APIVersion defines the versioned schema of this representation of an object.
  51. Servers should convert recognized schemas to the latest internal value, and
  52. may reject unrecognized values.
  53. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  54. type: string
  55. kind:
  56. description: |-
  57. Kind is a string value representing the REST resource this object represents.
  58. Servers may infer this from the endpoint the client submits requests to.
  59. Cannot be updated.
  60. In CamelCase.
  61. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  62. type: string
  63. metadata:
  64. type: object
  65. spec:
  66. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  67. properties:
  68. data:
  69. description: Data defines the connection between the Kubernetes Secret
  70. keys and the Provider data
  71. items:
  72. description: ExternalSecretData defines the connection between the
  73. Kubernetes Secret key (spec.data.<key>) and the Provider data.
  74. properties:
  75. remoteRef:
  76. description: |-
  77. RemoteRef points to the remote secret and defines
  78. which secret (version/property/..) to fetch.
  79. properties:
  80. conversionStrategy:
  81. default: Default
  82. description: Used to define a conversion Strategy
  83. enum:
  84. - Default
  85. - Unicode
  86. type: string
  87. decodingStrategy:
  88. default: None
  89. description: Used to define a decoding Strategy
  90. enum:
  91. - Auto
  92. - Base64
  93. - Base64URL
  94. - None
  95. type: string
  96. key:
  97. description: Key is the key used in the Provider, mandatory
  98. type: string
  99. metadataPolicy:
  100. default: None
  101. description: Policy for fetching tags/labels from provider
  102. secrets, possible options are Fetch, None. Defaults to
  103. None
  104. enum:
  105. - None
  106. - Fetch
  107. type: string
  108. nullBytePolicy:
  109. default: Ignore
  110. description: Controls how ESO handles fetched secret data
  111. containing NUL bytes for this source.
  112. enum:
  113. - Ignore
  114. - Fail
  115. type: string
  116. property:
  117. description: Used to select a specific property of the Provider
  118. value (if a map), if supported
  119. type: string
  120. version:
  121. description: Used to select a specific version of the Provider
  122. value, if supported
  123. type: string
  124. required:
  125. - key
  126. type: object
  127. secretKey:
  128. description: The key in the Kubernetes Secret to store the value.
  129. maxLength: 253
  130. minLength: 1
  131. pattern: ^[-._a-zA-Z0-9]+$
  132. type: string
  133. sourceRef:
  134. description: |-
  135. SourceRef allows you to override the source
  136. from which the value will be pulled.
  137. maxProperties: 1
  138. minProperties: 1
  139. properties:
  140. generatorRef:
  141. description: |-
  142. GeneratorRef points to a generator custom resource.
  143. Deprecated: The generatorRef is not implemented in .data[].
  144. this will be removed with v1.
  145. properties:
  146. apiVersion:
  147. default: generators.external-secrets.io/v1alpha1
  148. description: Specify the apiVersion of the generator
  149. resource
  150. type: string
  151. kind:
  152. description: Specify the Kind of the generator resource
  153. enum:
  154. - ACRAccessToken
  155. - ClusterGenerator
  156. - CloudsmithAccessToken
  157. - ECRAuthorizationToken
  158. - Fake
  159. - GCRAccessToken
  160. - GithubAccessToken
  161. - QuayAccessToken
  162. - Password
  163. - SSHKey
  164. - STSSessionToken
  165. - UUID
  166. - VaultDynamicSecret
  167. - Webhook
  168. - Grafana
  169. - MFA
  170. type: string
  171. name:
  172. description: Specify the name of the generator resource
  173. maxLength: 253
  174. minLength: 1
  175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  176. type: string
  177. required:
  178. - kind
  179. - name
  180. type: object
  181. storeRef:
  182. description: SecretStoreRef defines which SecretStore to
  183. fetch the ExternalSecret data.
  184. properties:
  185. kind:
  186. description: |-
  187. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  188. Defaults to `SecretStore`
  189. enum:
  190. - SecretStore
  191. - ClusterSecretStore
  192. - Provider
  193. - ClusterProvider
  194. type: string
  195. name:
  196. description: Name of the SecretStore resource
  197. maxLength: 253
  198. minLength: 1
  199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  200. type: string
  201. type: object
  202. type: object
  203. required:
  204. - remoteRef
  205. - secretKey
  206. type: object
  207. type: array
  208. dataFrom:
  209. description: |-
  210. DataFrom is used to fetch all properties from a specific Provider data
  211. If multiple entries are specified, the Secret keys are merged in the specified order
  212. items:
  213. description: |-
  214. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  215. when using DataFrom to fetch multiple values from a Provider.
  216. properties:
  217. extract:
  218. description: |-
  219. Used to extract multiple key/value pairs from one secret
  220. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  221. properties:
  222. conversionStrategy:
  223. default: Default
  224. description: Used to define a conversion Strategy
  225. enum:
  226. - Default
  227. - Unicode
  228. type: string
  229. decodingStrategy:
  230. default: None
  231. description: Used to define a decoding Strategy
  232. enum:
  233. - Auto
  234. - Base64
  235. - Base64URL
  236. - None
  237. type: string
  238. key:
  239. description: Key is the key used in the Provider, mandatory
  240. type: string
  241. metadataPolicy:
  242. default: None
  243. description: Policy for fetching tags/labels from provider
  244. secrets, possible options are Fetch, None. Defaults to
  245. None
  246. enum:
  247. - None
  248. - Fetch
  249. type: string
  250. nullBytePolicy:
  251. default: Ignore
  252. description: Controls how ESO handles fetched secret data
  253. containing NUL bytes for this source.
  254. enum:
  255. - Ignore
  256. - Fail
  257. type: string
  258. property:
  259. description: Used to select a specific property of the Provider
  260. value (if a map), if supported
  261. type: string
  262. version:
  263. description: Used to select a specific version of the Provider
  264. value, if supported
  265. type: string
  266. required:
  267. - key
  268. type: object
  269. find:
  270. description: |-
  271. Used to find secrets based on tags or regular expressions
  272. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  273. properties:
  274. conversionStrategy:
  275. default: Default
  276. description: Used to define a conversion Strategy
  277. enum:
  278. - Default
  279. - Unicode
  280. type: string
  281. decodingStrategy:
  282. default: None
  283. description: Used to define a decoding Strategy
  284. enum:
  285. - Auto
  286. - Base64
  287. - Base64URL
  288. - None
  289. type: string
  290. name:
  291. description: Finds secrets based on the name.
  292. properties:
  293. regexp:
  294. description: Finds secrets base
  295. type: string
  296. type: object
  297. nullBytePolicy:
  298. default: Ignore
  299. description: Controls how ESO handles fetched secret data
  300. containing NUL bytes for this find source.
  301. enum:
  302. - Ignore
  303. - Fail
  304. type: string
  305. path:
  306. description: A root path to start the find operations.
  307. type: string
  308. tags:
  309. additionalProperties:
  310. type: string
  311. description: Find secrets based on tags.
  312. type: object
  313. type: object
  314. rewrite:
  315. description: |-
  316. Used to rewrite secret Keys after getting them from the secret Provider
  317. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  318. items:
  319. description: ExternalSecretRewrite defines how to rewrite
  320. secret data values before they are written to the Secret.
  321. maxProperties: 1
  322. minProperties: 1
  323. properties:
  324. merge:
  325. description: |-
  326. Used to merge key/values in one single Secret
  327. The resulting key will contain all values from the specified secrets
  328. properties:
  329. conflictPolicy:
  330. default: Error
  331. description: Used to define the policy to use in conflict
  332. resolution.
  333. enum:
  334. - Ignore
  335. - Error
  336. type: string
  337. into:
  338. default: ""
  339. description: |-
  340. Used to define the target key of the merge operation.
  341. Required if strategy is JSON. Ignored otherwise.
  342. type: string
  343. priority:
  344. description: Used to define key priority in conflict
  345. resolution.
  346. items:
  347. type: string
  348. type: array
  349. priorityPolicy:
  350. default: Strict
  351. description: Used to define the policy when a key
  352. in the priority list does not exist in the input.
  353. enum:
  354. - IgnoreNotFound
  355. - Strict
  356. type: string
  357. strategy:
  358. default: Extract
  359. description: Used to define the strategy to use in
  360. the merge operation.
  361. enum:
  362. - Extract
  363. - JSON
  364. type: string
  365. type: object
  366. regexp:
  367. description: |-
  368. Used to rewrite with regular expressions.
  369. The resulting key will be the output of a regexp.ReplaceAll operation.
  370. properties:
  371. source:
  372. description: Used to define the regular expression
  373. of a re.Compiler.
  374. type: string
  375. target:
  376. description: Used to define the target pattern of
  377. a ReplaceAll operation.
  378. type: string
  379. required:
  380. - source
  381. - target
  382. type: object
  383. transform:
  384. description: |-
  385. Used to apply string transformation on the secrets.
  386. The resulting key will be the output of the template applied by the operation.
  387. properties:
  388. template:
  389. description: |-
  390. Used to define the template to apply on the secret name.
  391. `.value ` will specify the secret name in the template.
  392. type: string
  393. required:
  394. - template
  395. type: object
  396. type: object
  397. type: array
  398. sourceRef:
  399. description: |-
  400. SourceRef points to a store or generator
  401. which contains secret values ready to use.
  402. Use this in combination with Extract or Find pull values out of
  403. a specific SecretStore.
  404. When sourceRef points to a generator Extract or Find is not supported.
  405. The generator returns a static map of values
  406. maxProperties: 1
  407. minProperties: 1
  408. properties:
  409. generatorRef:
  410. description: GeneratorRef points to a generator custom resource.
  411. properties:
  412. apiVersion:
  413. default: generators.external-secrets.io/v1alpha1
  414. description: Specify the apiVersion of the generator
  415. resource
  416. type: string
  417. kind:
  418. description: Specify the Kind of the generator resource
  419. enum:
  420. - ACRAccessToken
  421. - ClusterGenerator
  422. - CloudsmithAccessToken
  423. - ECRAuthorizationToken
  424. - Fake
  425. - GCRAccessToken
  426. - GithubAccessToken
  427. - QuayAccessToken
  428. - Password
  429. - SSHKey
  430. - STSSessionToken
  431. - UUID
  432. - VaultDynamicSecret
  433. - Webhook
  434. - Grafana
  435. - MFA
  436. type: string
  437. name:
  438. description: Specify the name of the generator resource
  439. maxLength: 253
  440. minLength: 1
  441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  442. type: string
  443. required:
  444. - kind
  445. - name
  446. type: object
  447. storeRef:
  448. description: SecretStoreRef defines which SecretStore to
  449. fetch the ExternalSecret data.
  450. properties:
  451. kind:
  452. description: |-
  453. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  454. Defaults to `SecretStore`
  455. enum:
  456. - SecretStore
  457. - ClusterSecretStore
  458. - Provider
  459. - ClusterProvider
  460. type: string
  461. name:
  462. description: Name of the SecretStore resource
  463. maxLength: 253
  464. minLength: 1
  465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  466. type: string
  467. type: object
  468. type: object
  469. type: object
  470. type: array
  471. refreshInterval:
  472. default: 1h0m0s
  473. description: |-
  474. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  475. specified as Golang Duration strings.
  476. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  477. Example values: "1h0m0s", "2h30m0s", "10m0s"
  478. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  479. type: string
  480. refreshPolicy:
  481. description: |-
  482. RefreshPolicy determines how the ExternalSecret should be refreshed:
  483. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  484. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  485. No periodic updates occur if refreshInterval is 0.
  486. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  487. enum:
  488. - CreatedOnce
  489. - Periodic
  490. - OnChange
  491. type: string
  492. secretStoreRef:
  493. description: SecretStoreRef defines which SecretStore to fetch the
  494. ExternalSecret data.
  495. properties:
  496. kind:
  497. description: |-
  498. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  499. Defaults to `SecretStore`
  500. enum:
  501. - SecretStore
  502. - ClusterSecretStore
  503. - Provider
  504. - ClusterProvider
  505. type: string
  506. name:
  507. description: Name of the SecretStore resource
  508. maxLength: 253
  509. minLength: 1
  510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  511. type: string
  512. type: object
  513. target:
  514. default:
  515. creationPolicy: Owner
  516. deletionPolicy: Retain
  517. description: |-
  518. ExternalSecretTarget defines the Kubernetes Secret to be created,
  519. there can be only one target per ExternalSecret.
  520. properties:
  521. creationPolicy:
  522. default: Owner
  523. description: |-
  524. CreationPolicy defines rules on how to create the resulting Secret.
  525. Defaults to "Owner"
  526. enum:
  527. - Owner
  528. - Orphan
  529. - Merge
  530. - None
  531. type: string
  532. deletionPolicy:
  533. default: Retain
  534. description: |-
  535. DeletionPolicy defines rules on how to delete the resulting Secret.
  536. Defaults to "Retain"
  537. enum:
  538. - Delete
  539. - Merge
  540. - Retain
  541. type: string
  542. immutable:
  543. description: Immutable defines if the final secret will be immutable
  544. type: boolean
  545. manifest:
  546. description: |-
  547. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  548. When specified, ExternalSecret will create the resource type defined here
  549. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  550. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  551. properties:
  552. apiVersion:
  553. description: APIVersion of the target resource (e.g., "v1"
  554. for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  555. minLength: 1
  556. type: string
  557. kind:
  558. description: Kind of the target resource (e.g., "ConfigMap",
  559. "Application")
  560. minLength: 1
  561. type: string
  562. required:
  563. - apiVersion
  564. - kind
  565. type: object
  566. name:
  567. description: |-
  568. The name of the Secret resource to be managed.
  569. Defaults to the .metadata.name of the ExternalSecret resource
  570. maxLength: 253
  571. minLength: 1
  572. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  573. type: string
  574. template:
  575. description: Template defines a blueprint for the created Secret
  576. resource.
  577. properties:
  578. data:
  579. additionalProperties:
  580. type: string
  581. type: object
  582. engineVersion:
  583. default: v2
  584. description: |-
  585. EngineVersion specifies the template engine version
  586. that should be used to compile/execute the
  587. template specified in .data and .templateFrom[].
  588. enum:
  589. - v2
  590. type: string
  591. mergePolicy:
  592. default: Replace
  593. description: TemplateMergePolicy defines how the rendered
  594. template should be merged with the existing Secret data.
  595. enum:
  596. - Replace
  597. - Merge
  598. type: string
  599. metadata:
  600. description: ExternalSecretTemplateMetadata defines metadata
  601. fields for the Secret blueprint.
  602. properties:
  603. annotations:
  604. additionalProperties:
  605. type: string
  606. type: object
  607. finalizers:
  608. items:
  609. type: string
  610. type: array
  611. labels:
  612. additionalProperties:
  613. type: string
  614. type: object
  615. type: object
  616. templateFrom:
  617. items:
  618. description: |-
  619. TemplateFrom specifies a source for templates.
  620. Each item in the list can either reference a ConfigMap or a Secret resource.
  621. properties:
  622. configMap:
  623. description: TemplateRef specifies a reference to either
  624. a ConfigMap or a Secret resource.
  625. properties:
  626. items:
  627. description: A list of keys in the ConfigMap/Secret
  628. to use as templates for Secret data
  629. items:
  630. description: TemplateRefItem specifies a key in
  631. the ConfigMap/Secret to use as a template for
  632. Secret data.
  633. properties:
  634. key:
  635. description: A key in the ConfigMap/Secret
  636. maxLength: 253
  637. minLength: 1
  638. pattern: ^[-._a-zA-Z0-9]+$
  639. type: string
  640. templateAs:
  641. default: Values
  642. description: TemplateScope specifies how the
  643. template keys should be interpreted.
  644. enum:
  645. - Values
  646. - KeysAndValues
  647. type: string
  648. required:
  649. - key
  650. type: object
  651. type: array
  652. name:
  653. description: The name of the ConfigMap/Secret resource
  654. maxLength: 253
  655. minLength: 1
  656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  657. type: string
  658. required:
  659. - items
  660. - name
  661. type: object
  662. literal:
  663. type: string
  664. secret:
  665. description: TemplateRef specifies a reference to either
  666. a ConfigMap or a Secret resource.
  667. properties:
  668. items:
  669. description: A list of keys in the ConfigMap/Secret
  670. to use as templates for Secret data
  671. items:
  672. description: TemplateRefItem specifies a key in
  673. the ConfigMap/Secret to use as a template for
  674. Secret data.
  675. properties:
  676. key:
  677. description: A key in the ConfigMap/Secret
  678. maxLength: 253
  679. minLength: 1
  680. pattern: ^[-._a-zA-Z0-9]+$
  681. type: string
  682. templateAs:
  683. default: Values
  684. description: TemplateScope specifies how the
  685. template keys should be interpreted.
  686. enum:
  687. - Values
  688. - KeysAndValues
  689. type: string
  690. required:
  691. - key
  692. type: object
  693. type: array
  694. name:
  695. description: The name of the ConfigMap/Secret resource
  696. maxLength: 253
  697. minLength: 1
  698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  699. type: string
  700. required:
  701. - items
  702. - name
  703. type: object
  704. target:
  705. default: Data
  706. description: |-
  707. Target specifies where to place the template result.
  708. For Secret resources, common values are: "Data", "Annotations", "Labels".
  709. For custom resources (when spec.target.manifest is set), this supports
  710. nested paths like "spec.database.config" or "data".
  711. type: string
  712. type: object
  713. type: array
  714. type:
  715. type: string
  716. type: object
  717. type: object
  718. type: object
  719. status:
  720. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  721. properties:
  722. binding:
  723. description: Binding represents a servicebinding.io Provisioned Service
  724. reference to the secret
  725. properties:
  726. name:
  727. default: ""
  728. description: |-
  729. Name of the referent.
  730. This field is effectively required, but due to backwards compatibility is
  731. allowed to be empty. Instances of this type with an empty value here are
  732. almost certainly wrong.
  733. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  734. type: string
  735. type: object
  736. x-kubernetes-map-type: atomic
  737. conditions:
  738. items:
  739. description: ExternalSecretStatusCondition defines a status condition
  740. of an ExternalSecret resource.
  741. properties:
  742. lastTransitionTime:
  743. format: date-time
  744. type: string
  745. message:
  746. type: string
  747. reason:
  748. type: string
  749. status:
  750. type: string
  751. type:
  752. description: ExternalSecretConditionType defines a value type
  753. for ExternalSecret conditions.
  754. enum:
  755. - Ready
  756. - Deleted
  757. type: string
  758. required:
  759. - status
  760. - type
  761. type: object
  762. type: array
  763. refreshTime:
  764. description: |-
  765. refreshTime is the time and date the external secret was fetched and
  766. the target secret updated
  767. format: date-time
  768. nullable: true
  769. type: string
  770. syncedResourceVersion:
  771. description: SyncedResourceVersion keeps track of the last synced
  772. version
  773. type: string
  774. type: object
  775. type: object
  776. selectableFields:
  777. - jsonPath: .spec.secretStoreRef.name
  778. - jsonPath: .spec.secretStoreRef.kind
  779. - jsonPath: .spec.target.name
  780. - jsonPath: .spec.refreshInterval
  781. served: true
  782. storage: true
  783. subresources:
  784. status: {}
  785. - additionalPrinterColumns:
  786. - jsonPath: .spec.secretStoreRef.kind
  787. name: StoreType
  788. type: string
  789. - jsonPath: .spec.secretStoreRef.name
  790. name: Store
  791. type: string
  792. - jsonPath: .spec.refreshInterval
  793. name: Refresh Interval
  794. type: string
  795. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  796. name: Status
  797. type: string
  798. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  799. name: Ready
  800. type: string
  801. - jsonPath: .status.refreshTime
  802. name: Last Sync
  803. type: date
  804. deprecated: true
  805. name: v1beta1
  806. schema:
  807. openAPIV3Schema:
  808. description: ExternalSecret is the schema for the external-secrets API.
  809. properties:
  810. apiVersion:
  811. description: |-
  812. APIVersion defines the versioned schema of this representation of an object.
  813. Servers should convert recognized schemas to the latest internal value, and
  814. may reject unrecognized values.
  815. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  816. type: string
  817. kind:
  818. description: |-
  819. Kind is a string value representing the REST resource this object represents.
  820. Servers may infer this from the endpoint the client submits requests to.
  821. Cannot be updated.
  822. In CamelCase.
  823. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  824. type: string
  825. metadata:
  826. type: object
  827. spec:
  828. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  829. properties:
  830. data:
  831. description: Data defines the connection between the Kubernetes Secret
  832. keys and the Provider data
  833. items:
  834. description: ExternalSecretData defines the connection between the
  835. Kubernetes Secret key (spec.data.<key>) and the Provider data.
  836. properties:
  837. remoteRef:
  838. description: |-
  839. RemoteRef points to the remote secret and defines
  840. which secret (version/property/..) to fetch.
  841. properties:
  842. conversionStrategy:
  843. default: Default
  844. description: Used to define a conversion Strategy
  845. enum:
  846. - Default
  847. - Unicode
  848. type: string
  849. decodingStrategy:
  850. default: None
  851. description: Used to define a decoding Strategy
  852. enum:
  853. - Auto
  854. - Base64
  855. - Base64URL
  856. - None
  857. type: string
  858. key:
  859. description: Key is the key used in the Provider, mandatory
  860. type: string
  861. metadataPolicy:
  862. default: None
  863. description: Policy for fetching tags/labels from provider
  864. secrets, possible options are Fetch, None. Defaults to
  865. None
  866. enum:
  867. - None
  868. - Fetch
  869. type: string
  870. property:
  871. description: Used to select a specific property of the Provider
  872. value (if a map), if supported
  873. type: string
  874. version:
  875. description: Used to select a specific version of the Provider
  876. value, if supported
  877. type: string
  878. required:
  879. - key
  880. type: object
  881. secretKey:
  882. description: The key in the Kubernetes Secret to store the value.
  883. maxLength: 253
  884. minLength: 1
  885. pattern: ^[-._a-zA-Z0-9]+$
  886. type: string
  887. sourceRef:
  888. description: |-
  889. SourceRef allows you to override the source
  890. from which the value will be pulled.
  891. maxProperties: 1
  892. minProperties: 1
  893. properties:
  894. generatorRef:
  895. description: |-
  896. GeneratorRef points to a generator custom resource.
  897. Deprecated: The generatorRef is not implemented in .data[].
  898. this will be removed with v1.
  899. properties:
  900. apiVersion:
  901. default: generators.external-secrets.io/v1alpha1
  902. description: Specify the apiVersion of the generator
  903. resource
  904. type: string
  905. kind:
  906. description: Specify the Kind of the generator resource
  907. enum:
  908. - ACRAccessToken
  909. - ClusterGenerator
  910. - ECRAuthorizationToken
  911. - Fake
  912. - GCRAccessToken
  913. - GithubAccessToken
  914. - QuayAccessToken
  915. - Password
  916. - SSHKey
  917. - STSSessionToken
  918. - UUID
  919. - VaultDynamicSecret
  920. - Webhook
  921. - Grafana
  922. type: string
  923. name:
  924. description: Specify the name of the generator resource
  925. maxLength: 253
  926. minLength: 1
  927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  928. type: string
  929. required:
  930. - kind
  931. - name
  932. type: object
  933. storeRef:
  934. description: SecretStoreRef defines which SecretStore to
  935. fetch the ExternalSecret data.
  936. properties:
  937. kind:
  938. description: |-
  939. Kind of the SecretStore resource (SecretStore, ClusterSecretStore, Provider or ClusterProvider)
  940. Defaults to `SecretStore`
  941. enum:
  942. - SecretStore
  943. - ClusterSecretStore
  944. - Provider
  945. - ClusterProvider
  946. type: string
  947. name:
  948. description: Name of the SecretStore resource
  949. maxLength: 253
  950. minLength: 1
  951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  952. type: string
  953. type: object
  954. type: object
  955. required:
  956. - remoteRef
  957. - secretKey
  958. type: object
  959. type: array
  960. dataFrom:
  961. description: |-
  962. DataFrom is used to fetch all properties from a specific Provider data
  963. If multiple entries are specified, the Secret keys are merged in the specified order
  964. items:
  965. description: ExternalSecretDataFromRemoteRef defines a reference
  966. to multiple secrets in the provider to be fetched using options.
  967. properties:
  968. extract:
  969. description: |-
  970. Used to extract multiple key/value pairs from one secret
  971. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  972. properties:
  973. conversionStrategy:
  974. default: Default
  975. description: Used to define a conversion Strategy
  976. enum:
  977. - Default
  978. - Unicode
  979. type: string
  980. decodingStrategy:
  981. default: None
  982. description: Used to define a decoding Strategy
  983. enum:
  984. - Auto
  985. - Base64
  986. - Base64URL
  987. - None
  988. type: string
  989. key:
  990. description: Key is the key used in the Provider, mandatory
  991. type: string
  992. metadataPolicy:
  993. default: None
  994. description: Policy for fetching tags/labels from provider
  995. secrets, possible options are Fetch, None. Defaults to
  996. None
  997. enum:
  998. - None
  999. - Fetch
  1000. type: string
  1001. property:
  1002. description: Used to select a specific property of the Provider
  1003. value (if a map), if supported
  1004. type: string
  1005. version:
  1006. description: Used to select a specific version of the Provider
  1007. value, if supported
  1008. type: string
  1009. required:
  1010. - key
  1011. type: object
  1012. find:
  1013. description: |-
  1014. Used to find secrets based on tags or regular expressions
  1015. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1016. properties:
  1017. conversionStrategy:
  1018. default: Default
  1019. description: Used to define a conversion Strategy
  1020. enum:
  1021. - Default
  1022. - Unicode
  1023. type: string
  1024. decodingStrategy:
  1025. default: None
  1026. description: Used to define a decoding Strategy
  1027. enum:
  1028. - Auto
  1029. - Base64
  1030. - Base64URL
  1031. - None
  1032. type: string
  1033. name:
  1034. description: Finds secrets based on the name.
  1035. properties:
  1036. regexp:
  1037. description: Finds secrets base
  1038. type: string
  1039. type: object
  1040. path:
  1041. description: A root path to start the find operations.
  1042. type: string
  1043. tags:
  1044. additionalProperties:
  1045. type: string
  1046. description: Find secrets based on tags.
  1047. type: object
  1048. type: object
  1049. rewrite:
  1050. description: |-
  1051. Used to rewrite secret Keys after getting them from the secret Provider
  1052. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1053. items:
  1054. description: ExternalSecretRewrite defines rules on how to
  1055. rewrite secret keys.
  1056. maxProperties: 1
  1057. minProperties: 1
  1058. properties:
  1059. regexp:
  1060. description: |-
  1061. Used to rewrite with regular expressions.
  1062. The resulting key will be the output of a regexp.ReplaceAll operation.
  1063. properties:
  1064. source:
  1065. description: Used to define the regular expression
  1066. of a re.Compiler.
  1067. type: string
  1068. target:
  1069. description: Used to define the target pattern of
  1070. a ReplaceAll operation.
  1071. type: string
  1072. required:
  1073. - source
  1074. - target
  1075. type: object
  1076. transform:
  1077. description: |-
  1078. Used to apply string transformation on the secrets.
  1079. The resulting key will be the output of the template applied by the operation.
  1080. properties:
  1081. template:
  1082. description: |-
  1083. Used to define the template to apply on the secret name.
  1084. `.value ` will specify the secret name in the template.
  1085. type: string
  1086. required:
  1087. - template
  1088. type: object
  1089. type: object
  1090. type: array
  1091. sourceRef:
  1092. description: |-
  1093. SourceRef points to a store or generator
  1094. which contains secret values ready to use.
  1095. Use this in combination with Extract or Find pull values out of
  1096. a specific SecretStore.
  1097. When sourceRef points to a generator Extract or Find is not supported.
  1098. The generator returns a static map of values
  1099. maxProperties: 1
  1100. minProperties: 1
  1101. properties:
  1102. generatorRef:
  1103. description: GeneratorRef points to a generator custom resource.
  1104. properties:
  1105. apiVersion:
  1106. default: generators.external-secrets.io/v1alpha1
  1107. description: Specify the apiVersion of the generator
  1108. resource
  1109. type: string
  1110. kind:
  1111. description: Specify the Kind of the generator resource
  1112. enum:
  1113. - ACRAccessToken
  1114. - ClusterGenerator
  1115. - ECRAuthorizationToken
  1116. - Fake
  1117. - GCRAccessToken
  1118. - GithubAccessToken
  1119. - QuayAccessToken
  1120. - Password
  1121. - SSHKey
  1122. - STSSessionToken
  1123. - UUID
  1124. - VaultDynamicSecret
  1125. - Webhook
  1126. - Grafana
  1127. type: string
  1128. name:
  1129. description: Specify the name of the generator resource
  1130. maxLength: 253
  1131. minLength: 1
  1132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1133. type: string
  1134. required:
  1135. - kind
  1136. - name
  1137. type: object
  1138. storeRef:
  1139. description: SecretStoreRef defines which SecretStore to
  1140. fetch the ExternalSecret data.
  1141. properties:
  1142. kind:
  1143. description: |-
  1144. Kind of the SecretStore resource (SecretStore, ClusterSecretStore, Provider or ClusterProvider)
  1145. Defaults to `SecretStore`
  1146. enum:
  1147. - SecretStore
  1148. - ClusterSecretStore
  1149. - Provider
  1150. - ClusterProvider
  1151. type: string
  1152. name:
  1153. description: Name of the SecretStore resource
  1154. maxLength: 253
  1155. minLength: 1
  1156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1157. type: string
  1158. type: object
  1159. type: object
  1160. type: object
  1161. type: array
  1162. refreshInterval:
  1163. default: 1h0m0s
  1164. description: |-
  1165. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1166. specified as Golang Duration strings.
  1167. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1168. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1169. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1170. type: string
  1171. refreshPolicy:
  1172. description: |-
  1173. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1174. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1175. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1176. No periodic updates occur if refreshInterval is 0.
  1177. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1178. enum:
  1179. - CreatedOnce
  1180. - Periodic
  1181. - OnChange
  1182. type: string
  1183. secretStoreRef:
  1184. description: SecretStoreRef defines which SecretStore to fetch the
  1185. ExternalSecret data.
  1186. properties:
  1187. kind:
  1188. description: |-
  1189. Kind of the SecretStore resource (SecretStore, ClusterSecretStore, Provider or ClusterProvider)
  1190. Defaults to `SecretStore`
  1191. enum:
  1192. - SecretStore
  1193. - ClusterSecretStore
  1194. - Provider
  1195. - ClusterProvider
  1196. type: string
  1197. name:
  1198. description: Name of the SecretStore resource
  1199. maxLength: 253
  1200. minLength: 1
  1201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1202. type: string
  1203. type: object
  1204. target:
  1205. default:
  1206. creationPolicy: Owner
  1207. deletionPolicy: Retain
  1208. description: |-
  1209. ExternalSecretTarget defines the Kubernetes Secret to be created
  1210. There can be only one target per ExternalSecret.
  1211. properties:
  1212. creationPolicy:
  1213. default: Owner
  1214. description: |-
  1215. CreationPolicy defines rules on how to create the resulting Secret.
  1216. Defaults to "Owner"
  1217. enum:
  1218. - Owner
  1219. - Orphan
  1220. - Merge
  1221. - None
  1222. type: string
  1223. deletionPolicy:
  1224. default: Retain
  1225. description: |-
  1226. DeletionPolicy defines rules on how to delete the resulting Secret.
  1227. Defaults to "Retain"
  1228. enum:
  1229. - Delete
  1230. - Merge
  1231. - Retain
  1232. type: string
  1233. immutable:
  1234. description: Immutable defines if the final secret will be immutable
  1235. type: boolean
  1236. name:
  1237. description: |-
  1238. The name of the Secret resource to be managed.
  1239. Defaults to the .metadata.name of the ExternalSecret resource
  1240. maxLength: 253
  1241. minLength: 1
  1242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1243. type: string
  1244. template:
  1245. description: Template defines a blueprint for the created Secret
  1246. resource.
  1247. properties:
  1248. data:
  1249. additionalProperties:
  1250. type: string
  1251. type: object
  1252. engineVersion:
  1253. default: v2
  1254. description: |-
  1255. EngineVersion specifies the template engine version
  1256. that should be used to compile/execute the
  1257. template specified in .data and .templateFrom[].
  1258. enum:
  1259. - v2
  1260. type: string
  1261. mergePolicy:
  1262. default: Replace
  1263. description: TemplateMergePolicy defines how template values
  1264. should be merged when generating a secret.
  1265. enum:
  1266. - Replace
  1267. - Merge
  1268. type: string
  1269. metadata:
  1270. description: ExternalSecretTemplateMetadata defines metadata
  1271. fields for the Secret blueprint.
  1272. properties:
  1273. annotations:
  1274. additionalProperties:
  1275. type: string
  1276. type: object
  1277. labels:
  1278. additionalProperties:
  1279. type: string
  1280. type: object
  1281. type: object
  1282. templateFrom:
  1283. items:
  1284. description: TemplateFrom defines a source for template
  1285. data.
  1286. properties:
  1287. configMap:
  1288. description: TemplateRef defines a reference to a template
  1289. source in a ConfigMap or Secret.
  1290. properties:
  1291. items:
  1292. description: A list of keys in the ConfigMap/Secret
  1293. to use as templates for Secret data
  1294. items:
  1295. description: TemplateRefItem defines which key
  1296. in the referenced ConfigMap or Secret to use
  1297. as a template.
  1298. properties:
  1299. key:
  1300. description: A key in the ConfigMap/Secret
  1301. maxLength: 253
  1302. minLength: 1
  1303. pattern: ^[-._a-zA-Z0-9]+$
  1304. type: string
  1305. templateAs:
  1306. default: Values
  1307. description: TemplateScope defines the scope
  1308. of the template when processing template
  1309. data.
  1310. enum:
  1311. - Values
  1312. - KeysAndValues
  1313. type: string
  1314. required:
  1315. - key
  1316. type: object
  1317. type: array
  1318. name:
  1319. description: The name of the ConfigMap/Secret resource
  1320. maxLength: 253
  1321. minLength: 1
  1322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1323. type: string
  1324. required:
  1325. - items
  1326. - name
  1327. type: object
  1328. literal:
  1329. type: string
  1330. secret:
  1331. description: TemplateRef defines a reference to a template
  1332. source in a ConfigMap or Secret.
  1333. properties:
  1334. items:
  1335. description: A list of keys in the ConfigMap/Secret
  1336. to use as templates for Secret data
  1337. items:
  1338. description: TemplateRefItem defines which key
  1339. in the referenced ConfigMap or Secret to use
  1340. as a template.
  1341. properties:
  1342. key:
  1343. description: A key in the ConfigMap/Secret
  1344. maxLength: 253
  1345. minLength: 1
  1346. pattern: ^[-._a-zA-Z0-9]+$
  1347. type: string
  1348. templateAs:
  1349. default: Values
  1350. description: TemplateScope defines the scope
  1351. of the template when processing template
  1352. data.
  1353. enum:
  1354. - Values
  1355. - KeysAndValues
  1356. type: string
  1357. required:
  1358. - key
  1359. type: object
  1360. type: array
  1361. name:
  1362. description: The name of the ConfigMap/Secret resource
  1363. maxLength: 253
  1364. minLength: 1
  1365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1366. type: string
  1367. required:
  1368. - items
  1369. - name
  1370. type: object
  1371. target:
  1372. default: Data
  1373. description: TemplateTarget defines the target field
  1374. where the template result will be stored.
  1375. enum:
  1376. - Data
  1377. - Annotations
  1378. - Labels
  1379. type: string
  1380. type: object
  1381. type: array
  1382. type:
  1383. type: string
  1384. type: object
  1385. type: object
  1386. type: object
  1387. status:
  1388. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  1389. properties:
  1390. binding:
  1391. description: Binding represents a servicebinding.io Provisioned Service
  1392. reference to the secret
  1393. properties:
  1394. name:
  1395. default: ""
  1396. description: |-
  1397. Name of the referent.
  1398. This field is effectively required, but due to backwards compatibility is
  1399. allowed to be empty. Instances of this type with an empty value here are
  1400. almost certainly wrong.
  1401. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1402. type: string
  1403. type: object
  1404. x-kubernetes-map-type: atomic
  1405. conditions:
  1406. items:
  1407. description: ExternalSecretStatusCondition contains condition information
  1408. for an ExternalSecret.
  1409. properties:
  1410. lastTransitionTime:
  1411. format: date-time
  1412. type: string
  1413. message:
  1414. type: string
  1415. reason:
  1416. type: string
  1417. status:
  1418. type: string
  1419. type:
  1420. description: ExternalSecretConditionType defines the condition
  1421. type for an ExternalSecret.
  1422. type: string
  1423. required:
  1424. - status
  1425. - type
  1426. type: object
  1427. type: array
  1428. refreshTime:
  1429. description: |-
  1430. refreshTime is the time and date the external secret was fetched and
  1431. the target secret updated
  1432. format: date-time
  1433. nullable: true
  1434. type: string
  1435. syncedResourceVersion:
  1436. description: SyncedResourceVersion keeps track of the last synced
  1437. version
  1438. type: string
  1439. type: object
  1440. type: object
  1441. served: false
  1442. storage: false
  1443. subresources:
  1444. status: {}