generators.external-secrets.io_vaultdynamicsecrets.yaml 58 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: vaultdynamicsecrets.generators.external-secrets.io
  9. spec:
  10. group: generators.external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. - external-secrets-generators
  15. kind: VaultDynamicSecret
  16. listKind: VaultDynamicSecretList
  17. plural: vaultdynamicsecrets
  18. singular: vaultdynamicsecret
  19. scope: Namespaced
  20. versions:
  21. - name: v1alpha1
  22. schema:
  23. openAPIV3Schema:
  24. description: VaultDynamicSecret represents a generator that can create dynamic
  25. secrets from HashiCorp Vault.
  26. properties:
  27. apiVersion:
  28. description: |-
  29. APIVersion defines the versioned schema of this representation of an object.
  30. Servers should convert recognized schemas to the latest internal value, and
  31. may reject unrecognized values.
  32. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  33. type: string
  34. kind:
  35. description: |-
  36. Kind is a string value representing the REST resource this object represents.
  37. Servers may infer this from the endpoint the client submits requests to.
  38. Cannot be updated.
  39. In CamelCase.
  40. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  41. type: string
  42. metadata:
  43. type: object
  44. spec:
  45. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  46. properties:
  47. allowEmptyResponse:
  48. default: false
  49. description: Do not fail if no secrets are found. Useful for requests
  50. where no data is expected.
  51. type: boolean
  52. controller:
  53. description: |-
  54. Used to select the correct ESO controller (think: ingress.ingressClassName)
  55. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  56. type: string
  57. method:
  58. description: Vault API method to use (GET/POST/other)
  59. type: string
  60. parameters:
  61. description: Parameters to pass to Vault write (for non-GET methods)
  62. x-kubernetes-preserve-unknown-fields: true
  63. path:
  64. description: Vault path to obtain the dynamic secret from
  65. type: string
  66. provider:
  67. description: Vault provider common spec
  68. properties:
  69. auth:
  70. description: Auth configures how secret-manager authenticates
  71. with the Vault server.
  72. properties:
  73. appRole:
  74. description: |-
  75. AppRole authenticates with Vault using the App Role auth mechanism,
  76. with the role and secret stored in a Kubernetes Secret resource.
  77. properties:
  78. path:
  79. default: approle
  80. description: |-
  81. Path where the App Role authentication backend is mounted
  82. in Vault, e.g: "approle"
  83. type: string
  84. roleId:
  85. description: |-
  86. RoleID configured in the App Role authentication backend when setting
  87. up the authentication backend in Vault.
  88. type: string
  89. roleRef:
  90. description: |-
  91. Reference to a key in a Secret that contains the App Role ID used
  92. to authenticate with Vault.
  93. The `key` field must be specified and denotes which entry within the Secret
  94. resource is used as the app role id.
  95. properties:
  96. key:
  97. description: |-
  98. A key in the referenced Secret.
  99. Some instances of this field may be defaulted, in others it may be required.
  100. maxLength: 253
  101. minLength: 1
  102. pattern: ^[-._a-zA-Z0-9]+$
  103. type: string
  104. name:
  105. description: The name of the Secret resource being
  106. referred to.
  107. maxLength: 253
  108. minLength: 1
  109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  110. type: string
  111. namespace:
  112. description: |-
  113. The namespace of the Secret resource being referred to.
  114. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  115. maxLength: 63
  116. minLength: 1
  117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  118. type: string
  119. type: object
  120. secretRef:
  121. description: |-
  122. Reference to a key in a Secret that contains the App Role secret used
  123. to authenticate with Vault.
  124. The `key` field must be specified and denotes which entry within the Secret
  125. resource is used as the app role secret.
  126. properties:
  127. key:
  128. description: |-
  129. A key in the referenced Secret.
  130. Some instances of this field may be defaulted, in others it may be required.
  131. maxLength: 253
  132. minLength: 1
  133. pattern: ^[-._a-zA-Z0-9]+$
  134. type: string
  135. name:
  136. description: The name of the Secret resource being
  137. referred to.
  138. maxLength: 253
  139. minLength: 1
  140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  141. type: string
  142. namespace:
  143. description: |-
  144. The namespace of the Secret resource being referred to.
  145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  146. maxLength: 63
  147. minLength: 1
  148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  149. type: string
  150. type: object
  151. required:
  152. - path
  153. - secretRef
  154. type: object
  155. cert:
  156. description: |-
  157. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  158. Cert authentication method
  159. properties:
  160. clientCert:
  161. description: |-
  162. ClientCert is a certificate to authenticate using the Cert Vault
  163. authentication method
  164. properties:
  165. key:
  166. description: |-
  167. A key in the referenced Secret.
  168. Some instances of this field may be defaulted, in others it may be required.
  169. maxLength: 253
  170. minLength: 1
  171. pattern: ^[-._a-zA-Z0-9]+$
  172. type: string
  173. name:
  174. description: The name of the Secret resource being
  175. referred to.
  176. maxLength: 253
  177. minLength: 1
  178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  179. type: string
  180. namespace:
  181. description: |-
  182. The namespace of the Secret resource being referred to.
  183. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  184. maxLength: 63
  185. minLength: 1
  186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  187. type: string
  188. type: object
  189. path:
  190. default: cert
  191. description: |-
  192. Path where the Certificate authentication backend is mounted
  193. in Vault, e.g: "cert"
  194. type: string
  195. secretRef:
  196. description: |-
  197. SecretRef to a key in a Secret resource containing client private key to
  198. authenticate with Vault using the Cert authentication method
  199. properties:
  200. key:
  201. description: |-
  202. A key in the referenced Secret.
  203. Some instances of this field may be defaulted, in others it may be required.
  204. maxLength: 253
  205. minLength: 1
  206. pattern: ^[-._a-zA-Z0-9]+$
  207. type: string
  208. name:
  209. description: The name of the Secret resource being
  210. referred to.
  211. maxLength: 253
  212. minLength: 1
  213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  214. type: string
  215. namespace:
  216. description: |-
  217. The namespace of the Secret resource being referred to.
  218. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  219. maxLength: 63
  220. minLength: 1
  221. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  222. type: string
  223. type: object
  224. vaultRole:
  225. description: VaultRole specifies the Vault role to use
  226. for TLS certificate authentication.
  227. type: string
  228. type: object
  229. gcp:
  230. description: |-
  231. Gcp authenticates with Vault using Google Cloud Platform authentication method
  232. GCP authentication method
  233. properties:
  234. location:
  235. description: Location optionally defines a location/region
  236. for the secret
  237. type: string
  238. path:
  239. default: gcp
  240. description: 'Path where the GCP auth method is enabled
  241. in Vault, e.g: "gcp"'
  242. type: string
  243. projectID:
  244. description: Project ID of the Google Cloud Platform project
  245. type: string
  246. role:
  247. description: Vault Role. In Vault, a role describes an
  248. identity with a set of permissions, groups, or policies
  249. you want to attach to a user of the secrets engine.
  250. type: string
  251. secretRef:
  252. description: Specify credentials in a Secret object
  253. properties:
  254. secretAccessKeySecretRef:
  255. description: The SecretAccessKey is used for authentication
  256. properties:
  257. key:
  258. description: |-
  259. A key in the referenced Secret.
  260. Some instances of this field may be defaulted, in others it may be required.
  261. maxLength: 253
  262. minLength: 1
  263. pattern: ^[-._a-zA-Z0-9]+$
  264. type: string
  265. name:
  266. description: The name of the Secret resource being
  267. referred to.
  268. maxLength: 253
  269. minLength: 1
  270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  271. type: string
  272. namespace:
  273. description: |-
  274. The namespace of the Secret resource being referred to.
  275. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  276. maxLength: 63
  277. minLength: 1
  278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  279. type: string
  280. type: object
  281. type: object
  282. serviceAccountRef:
  283. description: ServiceAccountRef to a service account for
  284. impersonation
  285. properties:
  286. audiences:
  287. description: |-
  288. Audience specifies the `aud` claim for the service account token
  289. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  290. then this audiences will be appended to the list
  291. items:
  292. type: string
  293. type: array
  294. name:
  295. description: The name of the ServiceAccount resource
  296. being referred to.
  297. maxLength: 253
  298. minLength: 1
  299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  300. type: string
  301. namespace:
  302. description: |-
  303. Namespace of the resource being referred to.
  304. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  305. maxLength: 63
  306. minLength: 1
  307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  308. type: string
  309. required:
  310. - name
  311. type: object
  312. workloadIdentity:
  313. description: Specify a service account with Workload Identity
  314. properties:
  315. clusterLocation:
  316. description: |-
  317. ClusterLocation is the location of the cluster
  318. If not specified, it fetches information from the metadata server
  319. type: string
  320. clusterName:
  321. description: |-
  322. ClusterName is the name of the cluster
  323. If not specified, it fetches information from the metadata server
  324. type: string
  325. clusterProjectID:
  326. description: |-
  327. ClusterProjectID is the project ID of the cluster
  328. If not specified, it fetches information from the metadata server
  329. type: string
  330. serviceAccountRef:
  331. description: ServiceAccountSelector is a reference
  332. to a ServiceAccount resource.
  333. properties:
  334. audiences:
  335. description: |-
  336. Audience specifies the `aud` claim for the service account token
  337. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  338. then this audiences will be appended to the list
  339. items:
  340. type: string
  341. type: array
  342. name:
  343. description: The name of the ServiceAccount resource
  344. being referred to.
  345. maxLength: 253
  346. minLength: 1
  347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  348. type: string
  349. namespace:
  350. description: |-
  351. Namespace of the resource being referred to.
  352. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  353. maxLength: 63
  354. minLength: 1
  355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  356. type: string
  357. required:
  358. - name
  359. type: object
  360. required:
  361. - serviceAccountRef
  362. type: object
  363. required:
  364. - role
  365. type: object
  366. iam:
  367. description: |-
  368. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  369. AWS IAM authentication method
  370. properties:
  371. externalID:
  372. description: AWS External ID set on assumed IAM roles
  373. type: string
  374. jwt:
  375. description: Specify a service account with IRSA enabled
  376. properties:
  377. serviceAccountRef:
  378. description: ServiceAccountSelector is a reference
  379. to a ServiceAccount resource.
  380. properties:
  381. audiences:
  382. description: |-
  383. Audience specifies the `aud` claim for the service account token
  384. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  385. then this audiences will be appended to the list
  386. items:
  387. type: string
  388. type: array
  389. name:
  390. description: The name of the ServiceAccount resource
  391. being referred to.
  392. maxLength: 253
  393. minLength: 1
  394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  395. type: string
  396. namespace:
  397. description: |-
  398. Namespace of the resource being referred to.
  399. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  400. maxLength: 63
  401. minLength: 1
  402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  403. type: string
  404. required:
  405. - name
  406. type: object
  407. type: object
  408. path:
  409. description: 'Path where the AWS auth method is enabled
  410. in Vault, e.g: "aws"'
  411. type: string
  412. region:
  413. description: AWS region
  414. type: string
  415. role:
  416. description: This is the AWS role to be assumed before
  417. talking to vault
  418. type: string
  419. secretRef:
  420. description: Specify credentials in a Secret object
  421. properties:
  422. accessKeyIDSecretRef:
  423. description: The AccessKeyID is used for authentication
  424. properties:
  425. key:
  426. description: |-
  427. A key in the referenced Secret.
  428. Some instances of this field may be defaulted, in others it may be required.
  429. maxLength: 253
  430. minLength: 1
  431. pattern: ^[-._a-zA-Z0-9]+$
  432. type: string
  433. name:
  434. description: The name of the Secret resource being
  435. referred to.
  436. maxLength: 253
  437. minLength: 1
  438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  439. type: string
  440. namespace:
  441. description: |-
  442. The namespace of the Secret resource being referred to.
  443. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  444. maxLength: 63
  445. minLength: 1
  446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  447. type: string
  448. type: object
  449. secretAccessKeySecretRef:
  450. description: The SecretAccessKey is used for authentication
  451. properties:
  452. key:
  453. description: |-
  454. A key in the referenced Secret.
  455. Some instances of this field may be defaulted, in others it may be required.
  456. maxLength: 253
  457. minLength: 1
  458. pattern: ^[-._a-zA-Z0-9]+$
  459. type: string
  460. name:
  461. description: The name of the Secret resource being
  462. referred to.
  463. maxLength: 253
  464. minLength: 1
  465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  466. type: string
  467. namespace:
  468. description: |-
  469. The namespace of the Secret resource being referred to.
  470. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  471. maxLength: 63
  472. minLength: 1
  473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  474. type: string
  475. type: object
  476. sessionTokenSecretRef:
  477. description: |-
  478. The SessionToken used for authentication
  479. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  480. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  481. properties:
  482. key:
  483. description: |-
  484. A key in the referenced Secret.
  485. Some instances of this field may be defaulted, in others it may be required.
  486. maxLength: 253
  487. minLength: 1
  488. pattern: ^[-._a-zA-Z0-9]+$
  489. type: string
  490. name:
  491. description: The name of the Secret resource being
  492. referred to.
  493. maxLength: 253
  494. minLength: 1
  495. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  496. type: string
  497. namespace:
  498. description: |-
  499. The namespace of the Secret resource being referred to.
  500. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  501. maxLength: 63
  502. minLength: 1
  503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  504. type: string
  505. type: object
  506. type: object
  507. vaultAwsIamServerID:
  508. description: 'X-Vault-AWS-IAM-Server-ID is an additional
  509. header used by Vault IAM auth method to mitigate against
  510. different types of replay attacks. More details here:
  511. https://developer.hashicorp.com/vault/docs/auth/aws'
  512. type: string
  513. vaultRole:
  514. description: Vault Role. In vault, a role describes an
  515. identity with a set of permissions, groups, or policies
  516. you want to attach a user of the secrets engine
  517. type: string
  518. required:
  519. - vaultRole
  520. type: object
  521. jwt:
  522. description: |-
  523. Jwt authenticates with Vault by passing role and JWT token using the
  524. JWT/OIDC authentication method
  525. properties:
  526. kubernetesServiceAccountToken:
  527. description: |-
  528. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  529. a token for with the `TokenRequest` API.
  530. properties:
  531. audiences:
  532. description: |-
  533. Optional audiences field that will be used to request a temporary Kubernetes service
  534. account token for the service account referenced by `serviceAccountRef`.
  535. Defaults to a single audience `vault` it not specified.
  536. Deprecated: use serviceAccountRef.Audiences instead
  537. items:
  538. type: string
  539. type: array
  540. expirationSeconds:
  541. description: |-
  542. Optional expiration time in seconds that will be used to request a temporary
  543. Kubernetes service account token for the service account referenced by
  544. `serviceAccountRef`.
  545. Deprecated: this will be removed in the future.
  546. Defaults to 10 minutes.
  547. type: integer
  548. serviceAccountRef:
  549. description: Service account field containing the
  550. name of a kubernetes ServiceAccount.
  551. properties:
  552. audiences:
  553. description: |-
  554. Audience specifies the `aud` claim for the service account token
  555. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  556. then this audiences will be appended to the list
  557. items:
  558. type: string
  559. type: array
  560. name:
  561. description: The name of the ServiceAccount resource
  562. being referred to.
  563. maxLength: 253
  564. minLength: 1
  565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  566. type: string
  567. namespace:
  568. description: |-
  569. Namespace of the resource being referred to.
  570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  571. maxLength: 63
  572. minLength: 1
  573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  574. type: string
  575. required:
  576. - name
  577. type: object
  578. required:
  579. - serviceAccountRef
  580. type: object
  581. path:
  582. default: jwt
  583. description: |-
  584. Path where the JWT authentication backend is mounted
  585. in Vault, e.g: "jwt"
  586. type: string
  587. role:
  588. description: |-
  589. Role is a JWT role to authenticate using the JWT/OIDC Vault
  590. authentication method
  591. type: string
  592. secretRef:
  593. description: |-
  594. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  595. authenticate with Vault using the JWT/OIDC authentication method.
  596. properties:
  597. key:
  598. description: |-
  599. A key in the referenced Secret.
  600. Some instances of this field may be defaulted, in others it may be required.
  601. maxLength: 253
  602. minLength: 1
  603. pattern: ^[-._a-zA-Z0-9]+$
  604. type: string
  605. name:
  606. description: The name of the Secret resource being
  607. referred to.
  608. maxLength: 253
  609. minLength: 1
  610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  611. type: string
  612. namespace:
  613. description: |-
  614. The namespace of the Secret resource being referred to.
  615. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  616. maxLength: 63
  617. minLength: 1
  618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  619. type: string
  620. type: object
  621. required:
  622. - path
  623. type: object
  624. kubernetes:
  625. description: |-
  626. Kubernetes authenticates with Vault by passing the ServiceAccount
  627. token stored in the named Secret resource to the Vault server.
  628. properties:
  629. mountPath:
  630. default: kubernetes
  631. description: |-
  632. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  633. "kubernetes"
  634. type: string
  635. role:
  636. description: |-
  637. A required field containing the Vault Role to assume. A Role binds a
  638. Kubernetes ServiceAccount with a set of Vault policies.
  639. type: string
  640. secretRef:
  641. description: |-
  642. Optional secret field containing a Kubernetes ServiceAccount JWT used
  643. for authenticating with Vault. If a name is specified without a key,
  644. `token` is the default. If one is not specified, the one bound to
  645. the controller will be used.
  646. properties:
  647. key:
  648. description: |-
  649. A key in the referenced Secret.
  650. Some instances of this field may be defaulted, in others it may be required.
  651. maxLength: 253
  652. minLength: 1
  653. pattern: ^[-._a-zA-Z0-9]+$
  654. type: string
  655. name:
  656. description: The name of the Secret resource being
  657. referred to.
  658. maxLength: 253
  659. minLength: 1
  660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  661. type: string
  662. namespace:
  663. description: |-
  664. The namespace of the Secret resource being referred to.
  665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  666. maxLength: 63
  667. minLength: 1
  668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  669. type: string
  670. type: object
  671. serviceAccountRef:
  672. description: |-
  673. Optional service account field containing the name of a kubernetes ServiceAccount.
  674. If the service account is specified, the service account secret token JWT will be used
  675. for authenticating with Vault. If the service account selector is not supplied,
  676. the secretRef will be used instead.
  677. properties:
  678. audiences:
  679. description: |-
  680. Audience specifies the `aud` claim for the service account token
  681. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  682. then this audiences will be appended to the list
  683. items:
  684. type: string
  685. type: array
  686. name:
  687. description: The name of the ServiceAccount resource
  688. being referred to.
  689. maxLength: 253
  690. minLength: 1
  691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  692. type: string
  693. namespace:
  694. description: |-
  695. Namespace of the resource being referred to.
  696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  697. maxLength: 63
  698. minLength: 1
  699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  700. type: string
  701. required:
  702. - name
  703. type: object
  704. required:
  705. - mountPath
  706. - role
  707. type: object
  708. ldap:
  709. description: |-
  710. Ldap authenticates with Vault by passing username/password pair using
  711. the LDAP authentication method
  712. properties:
  713. path:
  714. default: ldap
  715. description: |-
  716. Path where the LDAP authentication backend is mounted
  717. in Vault, e.g: "ldap"
  718. type: string
  719. secretRef:
  720. description: |-
  721. SecretRef to a key in a Secret resource containing password for the LDAP
  722. user used to authenticate with Vault using the LDAP authentication
  723. method
  724. properties:
  725. key:
  726. description: |-
  727. A key in the referenced Secret.
  728. Some instances of this field may be defaulted, in others it may be required.
  729. maxLength: 253
  730. minLength: 1
  731. pattern: ^[-._a-zA-Z0-9]+$
  732. type: string
  733. name:
  734. description: The name of the Secret resource being
  735. referred to.
  736. maxLength: 253
  737. minLength: 1
  738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  739. type: string
  740. namespace:
  741. description: |-
  742. The namespace of the Secret resource being referred to.
  743. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  744. maxLength: 63
  745. minLength: 1
  746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  747. type: string
  748. type: object
  749. username:
  750. description: |-
  751. Username is an LDAP username used to authenticate using the LDAP Vault
  752. authentication method
  753. type: string
  754. required:
  755. - path
  756. - username
  757. type: object
  758. namespace:
  759. description: |-
  760. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  761. Namespaces is a set of features within Vault Enterprise that allows
  762. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  763. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  764. This will default to Vault.Namespace field if set, or empty otherwise
  765. type: string
  766. tokenSecretRef:
  767. description: TokenSecretRef authenticates with Vault by presenting
  768. a token.
  769. properties:
  770. key:
  771. description: |-
  772. A key in the referenced Secret.
  773. Some instances of this field may be defaulted, in others it may be required.
  774. maxLength: 253
  775. minLength: 1
  776. pattern: ^[-._a-zA-Z0-9]+$
  777. type: string
  778. name:
  779. description: The name of the Secret resource being referred
  780. to.
  781. maxLength: 253
  782. minLength: 1
  783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  784. type: string
  785. namespace:
  786. description: |-
  787. The namespace of the Secret resource being referred to.
  788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  789. maxLength: 63
  790. minLength: 1
  791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  792. type: string
  793. type: object
  794. userPass:
  795. description: UserPass authenticates with Vault by passing
  796. username/password pair
  797. properties:
  798. path:
  799. default: userpass
  800. description: |-
  801. Path where the UserPassword authentication backend is mounted
  802. in Vault, e.g: "userpass"
  803. type: string
  804. secretRef:
  805. description: |-
  806. SecretRef to a key in a Secret resource containing password for the
  807. user used to authenticate with Vault using the UserPass authentication
  808. method
  809. properties:
  810. key:
  811. description: |-
  812. A key in the referenced Secret.
  813. Some instances of this field may be defaulted, in others it may be required.
  814. maxLength: 253
  815. minLength: 1
  816. pattern: ^[-._a-zA-Z0-9]+$
  817. type: string
  818. name:
  819. description: The name of the Secret resource being
  820. referred to.
  821. maxLength: 253
  822. minLength: 1
  823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  824. type: string
  825. namespace:
  826. description: |-
  827. The namespace of the Secret resource being referred to.
  828. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  829. maxLength: 63
  830. minLength: 1
  831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  832. type: string
  833. type: object
  834. username:
  835. description: |-
  836. Username is a username used to authenticate using the UserPass Vault
  837. authentication method
  838. type: string
  839. required:
  840. - path
  841. - username
  842. type: object
  843. type: object
  844. caBundle:
  845. description: |-
  846. PEM encoded CA bundle used to validate Vault server certificate. Only used
  847. if the Server URL is using HTTPS protocol. This parameter is ignored for
  848. plain HTTP protocol connection. If not set the system root certificates
  849. are used to validate the TLS connection.
  850. format: byte
  851. type: string
  852. caProvider:
  853. description: The provider for the CA bundle to use to validate
  854. Vault server certificate.
  855. properties:
  856. key:
  857. description: The key where the CA certificate can be found
  858. in the Secret or ConfigMap.
  859. maxLength: 253
  860. minLength: 1
  861. pattern: ^[-._a-zA-Z0-9]+$
  862. type: string
  863. name:
  864. description: The name of the object located at the provider
  865. type.
  866. maxLength: 253
  867. minLength: 1
  868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  869. type: string
  870. namespace:
  871. description: |-
  872. The namespace the Provider type is in.
  873. Can only be defined when used in a ClusterSecretStore.
  874. maxLength: 63
  875. minLength: 1
  876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  877. type: string
  878. type:
  879. description: The type of provider to use such as "Secret",
  880. or "ConfigMap".
  881. enum:
  882. - Secret
  883. - ConfigMap
  884. type: string
  885. required:
  886. - name
  887. - type
  888. type: object
  889. checkAndSet:
  890. description: |-
  891. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  892. Only applies to Vault KV v2 stores. When enabled, write operations must include
  893. the current version of the secret to prevent unintentional overwrites.
  894. properties:
  895. required:
  896. description: |-
  897. Required when true, all write operations must include a check-and-set parameter.
  898. This helps prevent unintentional overwrites of secrets.
  899. type: boolean
  900. type: object
  901. forwardInconsistent:
  902. description: |-
  903. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  904. leader instead of simply retrying within a loop. This can increase performance if
  905. the option is enabled serverside.
  906. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  907. type: boolean
  908. headers:
  909. additionalProperties:
  910. type: string
  911. description: Headers to be added in Vault request
  912. type: object
  913. namespace:
  914. description: |-
  915. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  916. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  917. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  918. type: string
  919. path:
  920. description: |-
  921. Path is the mount path of the Vault KV backend endpoint, e.g:
  922. "secret". The v2 KV secret engine version specific "/data" path suffix
  923. for fetching secrets from Vault is optional and will be appended
  924. if not present in specified path.
  925. type: string
  926. readYourWrites:
  927. description: |-
  928. ReadYourWrites ensures isolated read-after-write semantics by
  929. providing discovered cluster replication states in each request.
  930. More information about eventual consistency in Vault can be found here
  931. https://www.vaultproject.io/docs/enterprise/consistency
  932. type: boolean
  933. server:
  934. description: 'Server is the connection address for the Vault server,
  935. e.g: "https://vault.example.com:8200".'
  936. type: string
  937. tls:
  938. description: |-
  939. The configuration used for client side related TLS communication, when the Vault server
  940. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  941. This parameter is ignored for plain HTTP protocol connection.
  942. It's worth noting this configuration is different from the "TLS certificates auth method",
  943. which is available under the `auth.cert` section.
  944. properties:
  945. certSecretRef:
  946. description: |-
  947. CertSecretRef is a certificate added to the transport layer
  948. when communicating with the Vault server.
  949. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  950. properties:
  951. key:
  952. description: |-
  953. A key in the referenced Secret.
  954. Some instances of this field may be defaulted, in others it may be required.
  955. maxLength: 253
  956. minLength: 1
  957. pattern: ^[-._a-zA-Z0-9]+$
  958. type: string
  959. name:
  960. description: The name of the Secret resource being referred
  961. to.
  962. maxLength: 253
  963. minLength: 1
  964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  965. type: string
  966. namespace:
  967. description: |-
  968. The namespace of the Secret resource being referred to.
  969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  970. maxLength: 63
  971. minLength: 1
  972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  973. type: string
  974. type: object
  975. keySecretRef:
  976. description: |-
  977. KeySecretRef to a key in a Secret resource containing client private key
  978. added to the transport layer when communicating with the Vault server.
  979. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  980. properties:
  981. key:
  982. description: |-
  983. A key in the referenced Secret.
  984. Some instances of this field may be defaulted, in others it may be required.
  985. maxLength: 253
  986. minLength: 1
  987. pattern: ^[-._a-zA-Z0-9]+$
  988. type: string
  989. name:
  990. description: The name of the Secret resource being referred
  991. to.
  992. maxLength: 253
  993. minLength: 1
  994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  995. type: string
  996. namespace:
  997. description: |-
  998. The namespace of the Secret resource being referred to.
  999. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1000. maxLength: 63
  1001. minLength: 1
  1002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1003. type: string
  1004. type: object
  1005. type: object
  1006. version:
  1007. default: v2
  1008. description: |-
  1009. Version is the Vault KV secret engine version. This can be either "v1" or
  1010. "v2". Version defaults to "v2".
  1011. enum:
  1012. - v1
  1013. - v2
  1014. type: string
  1015. required:
  1016. - server
  1017. type: object
  1018. resultType:
  1019. default: Data
  1020. description: |-
  1021. Result type defines which data is returned from the generator.
  1022. By default, it is the "data" section of the Vault API response.
  1023. When using e.g. /auth/token/create the "data" section is empty but
  1024. the "auth" section contains the generated token.
  1025. Please refer to the vault docs regarding the result data structure.
  1026. Additionally, accessing the raw response is possibly by using "Raw" result type.
  1027. enum:
  1028. - Data
  1029. - Auth
  1030. - Raw
  1031. type: string
  1032. retrySettings:
  1033. description: Used to configure http retries if failed
  1034. properties:
  1035. maxRetries:
  1036. type: integer
  1037. retryInterval:
  1038. type: string
  1039. type: object
  1040. required:
  1041. - path
  1042. - provider
  1043. type: object
  1044. type: object
  1045. served: true
  1046. storage: true
  1047. subresources:
  1048. status: {}