provider.external-secrets.io_secretsmanagers.yaml 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. name: secretsmanagers.provider.external-secrets.io
  7. spec:
  8. group: provider.external-secrets.io
  9. names:
  10. categories:
  11. - externalsecrets
  12. kind: SecretsManager
  13. listKind: SecretsManagerList
  14. plural: secretsmanagers
  15. shortNames:
  16. - sm
  17. singular: secretsmanager
  18. scope: Namespaced
  19. versions:
  20. - additionalPrinterColumns:
  21. - jsonPath: .spec.region
  22. name: Region
  23. type: string
  24. - jsonPath: .metadata.creationTimestamp
  25. name: Age
  26. type: date
  27. name: v2alpha1
  28. schema:
  29. openAPIV3Schema:
  30. description: SecretsManager is the Schema for AWS Secrets Manager provider
  31. configuration.
  32. properties:
  33. apiVersion:
  34. description: |-
  35. APIVersion defines the versioned schema of this representation of an object.
  36. Servers should convert recognized schemas to the latest internal value, and
  37. may reject unrecognized values.
  38. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  39. type: string
  40. kind:
  41. description: |-
  42. Kind is a string value representing the REST resource this object represents.
  43. Servers may infer this from the endpoint the client submits requests to.
  44. Cannot be updated.
  45. In CamelCase.
  46. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  47. type: string
  48. metadata:
  49. type: object
  50. spec:
  51. description: SecretsManagerSpec defines the desired state of SecretsManager.
  52. properties:
  53. additionalRoles:
  54. description: AdditionalRoles is a chained list of Role ARNs which
  55. the provider will sequentially assume before assuming the Role
  56. items:
  57. type: string
  58. type: array
  59. auth:
  60. description: |-
  61. Auth defines the information necessary to authenticate against AWS
  62. if not set aws sdk will infer credentials from your environment
  63. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  64. properties:
  65. jwt:
  66. description: AWSJWTAuth stores reference to Authenticate against
  67. AWS using service account tokens.
  68. properties:
  69. serviceAccountRef:
  70. description: ServiceAccountSelector is a reference to a ServiceAccount
  71. resource.
  72. properties:
  73. audiences:
  74. description: |-
  75. Audience specifies the `aud` claim for the service account token
  76. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  77. then this audiences will be appended to the list
  78. items:
  79. type: string
  80. type: array
  81. name:
  82. description: The name of the ServiceAccount resource being
  83. referred to.
  84. maxLength: 253
  85. minLength: 1
  86. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  87. type: string
  88. namespace:
  89. description: |-
  90. Namespace of the resource being referred to.
  91. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  92. maxLength: 63
  93. minLength: 1
  94. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  95. type: string
  96. required:
  97. - name
  98. type: object
  99. type: object
  100. secretRef:
  101. description: |-
  102. AWSAuthSecretRef holds secret references for AWS credentials
  103. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  104. properties:
  105. accessKeyIDSecretRef:
  106. description: The AccessKeyID is used for authentication
  107. properties:
  108. key:
  109. description: |-
  110. A key in the referenced Secret.
  111. Some instances of this field may be defaulted, in others it may be required.
  112. maxLength: 253
  113. minLength: 1
  114. pattern: ^[-._a-zA-Z0-9]+$
  115. type: string
  116. name:
  117. description: The name of the Secret resource being referred
  118. to.
  119. maxLength: 253
  120. minLength: 1
  121. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  122. type: string
  123. namespace:
  124. description: |-
  125. The namespace of the Secret resource being referred to.
  126. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  127. maxLength: 63
  128. minLength: 1
  129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  130. type: string
  131. type: object
  132. secretAccessKeySecretRef:
  133. description: The SecretAccessKey is used for authentication
  134. properties:
  135. key:
  136. description: |-
  137. A key in the referenced Secret.
  138. Some instances of this field may be defaulted, in others it may be required.
  139. maxLength: 253
  140. minLength: 1
  141. pattern: ^[-._a-zA-Z0-9]+$
  142. type: string
  143. name:
  144. description: The name of the Secret resource being referred
  145. to.
  146. maxLength: 253
  147. minLength: 1
  148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  149. type: string
  150. namespace:
  151. description: |-
  152. The namespace of the Secret resource being referred to.
  153. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  154. maxLength: 63
  155. minLength: 1
  156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  157. type: string
  158. type: object
  159. sessionTokenSecretRef:
  160. description: |-
  161. The SessionToken used for authentication
  162. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  163. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  164. properties:
  165. key:
  166. description: |-
  167. A key in the referenced Secret.
  168. Some instances of this field may be defaulted, in others it may be required.
  169. maxLength: 253
  170. minLength: 1
  171. pattern: ^[-._a-zA-Z0-9]+$
  172. type: string
  173. name:
  174. description: The name of the Secret resource being referred
  175. to.
  176. maxLength: 253
  177. minLength: 1
  178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  179. type: string
  180. namespace:
  181. description: |-
  182. The namespace of the Secret resource being referred to.
  183. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  184. maxLength: 63
  185. minLength: 1
  186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  187. type: string
  188. type: object
  189. type: object
  190. type: object
  191. externalID:
  192. description: AWS External ID set on assumed IAM roles
  193. type: string
  194. prefix:
  195. description: Prefix adds a prefix to all retrieved values.
  196. type: string
  197. region:
  198. description: AWS Region to be used for the provider
  199. type: string
  200. role:
  201. description: Role is a Role ARN which the provider will assume
  202. type: string
  203. secretsManager:
  204. description: SecretsManager defines how the provider behaves when
  205. interacting with AWS SecretsManager
  206. properties:
  207. forceDeleteWithoutRecovery:
  208. description: |-
  209. Specifies whether to delete the secret without any recovery window. You
  210. can't use both this parameter and RecoveryWindowInDays in the same call.
  211. If you don't use either, then by default Secrets Manager uses a 30 day
  212. recovery window.
  213. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  214. type: boolean
  215. recoveryWindowInDays:
  216. description: |-
  217. The number of days from 7 to 30 that Secrets Manager waits before
  218. permanently deleting the secret. You can't use both this parameter and
  219. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  220. then by default Secrets Manager uses a 30-day recovery window.
  221. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  222. type: integer
  223. type: object
  224. sessionTags:
  225. description: AWS STS assume role session tags
  226. items:
  227. description: |-
  228. Tag is a key-value pair that can be attached to an AWS resource.
  229. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  230. properties:
  231. key:
  232. type: string
  233. value:
  234. type: string
  235. required:
  236. - key
  237. - value
  238. type: object
  239. type: array
  240. transitiveTagKeys:
  241. description: AWS STS assume role transitive session tags. Required
  242. when multiple rules are used with the provider
  243. items:
  244. type: string
  245. type: array
  246. required:
  247. - region
  248. type: object
  249. status:
  250. description: SecretsManagerStatus defines the observed state of SecretsManager.
  251. properties:
  252. conditions:
  253. description: Conditions represent the latest available observations
  254. of the resource's state.
  255. items:
  256. description: Condition contains details for one aspect of the current
  257. state of this API Resource.
  258. properties:
  259. lastTransitionTime:
  260. description: |-
  261. lastTransitionTime is the last time the condition transitioned from one status to another.
  262. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
  263. format: date-time
  264. type: string
  265. message:
  266. description: |-
  267. message is a human readable message indicating details about the transition.
  268. This may be an empty string.
  269. maxLength: 32768
  270. type: string
  271. observedGeneration:
  272. description: |-
  273. observedGeneration represents the .metadata.generation that the condition was set based upon.
  274. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
  275. with respect to the current state of the instance.
  276. format: int64
  277. minimum: 0
  278. type: integer
  279. reason:
  280. description: |-
  281. reason contains a programmatic identifier indicating the reason for the condition's last transition.
  282. Producers of specific condition types may define expected values and meanings for this field,
  283. and whether the values are considered a guaranteed API.
  284. The value should be a CamelCase string.
  285. This field may not be empty.
  286. maxLength: 1024
  287. minLength: 1
  288. pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
  289. type: string
  290. status:
  291. description: status of the condition, one of True, False, Unknown.
  292. enum:
  293. - "True"
  294. - "False"
  295. - Unknown
  296. type: string
  297. type:
  298. description: type of condition in CamelCase or in foo.example.com/CamelCase.
  299. maxLength: 316
  300. pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
  301. type: string
  302. required:
  303. - lastTransitionTime
  304. - message
  305. - reason
  306. - status
  307. - type
  308. type: object
  309. type: array
  310. type: object
  311. type: object
  312. served: true
  313. storage: true
  314. subresources:
  315. status: {}