generators.external-secrets.io_clustergenerators.yaml 127 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clustergenerators.generators.external-secrets.io
  9. spec:
  10. group: generators.external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. - external-secrets-generators
  15. kind: ClusterGenerator
  16. listKind: ClusterGeneratorList
  17. plural: clustergenerators
  18. singular: clustergenerator
  19. scope: Cluster
  20. versions:
  21. - name: v1alpha1
  22. schema:
  23. openAPIV3Schema:
  24. description: ClusterGenerator represents a cluster-wide generator which can
  25. be referenced as part of `generatorRef` fields.
  26. properties:
  27. apiVersion:
  28. description: |-
  29. APIVersion defines the versioned schema of this representation of an object.
  30. Servers should convert recognized schemas to the latest internal value, and
  31. may reject unrecognized values.
  32. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  33. type: string
  34. kind:
  35. description: |-
  36. Kind is a string value representing the REST resource this object represents.
  37. Servers may infer this from the endpoint the client submits requests to.
  38. Cannot be updated.
  39. In CamelCase.
  40. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  41. type: string
  42. metadata:
  43. type: object
  44. spec:
  45. properties:
  46. generator:
  47. description: Generator the spec for this generator, must match the
  48. kind.
  49. maxProperties: 1
  50. minProperties: 1
  51. properties:
  52. acrAccessTokenSpec:
  53. description: |-
  54. ACRAccessTokenSpec defines how to generate the access token
  55. e.g. how to authenticate and which registry to use.
  56. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  57. properties:
  58. auth:
  59. properties:
  60. managedIdentity:
  61. description: ManagedIdentity uses Azure Managed Identity
  62. to authenticate with Azure.
  63. properties:
  64. identityId:
  65. description: If multiple Managed Identity is assigned
  66. to the pod, you can select the one to be used
  67. type: string
  68. type: object
  69. servicePrincipal:
  70. description: ServicePrincipal uses Azure Service Principal
  71. credentials to authenticate with Azure.
  72. properties:
  73. secretRef:
  74. description: |-
  75. Configuration used to authenticate with Azure using static
  76. credentials stored in a Kind=Secret.
  77. properties:
  78. clientId:
  79. description: The Azure clientId of the service
  80. principle used for authentication.
  81. properties:
  82. key:
  83. description: |-
  84. A key in the referenced Secret.
  85. Some instances of this field may be defaulted, in others it may be required.
  86. maxLength: 253
  87. minLength: 1
  88. pattern: ^[-._a-zA-Z0-9]+$
  89. type: string
  90. name:
  91. description: The name of the Secret resource
  92. being referred to.
  93. maxLength: 253
  94. minLength: 1
  95. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  96. type: string
  97. namespace:
  98. description: |-
  99. The namespace of the Secret resource being referred to.
  100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  101. maxLength: 63
  102. minLength: 1
  103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  104. type: string
  105. type: object
  106. clientSecret:
  107. description: The Azure ClientSecret of the service
  108. principle used for authentication.
  109. properties:
  110. key:
  111. description: |-
  112. A key in the referenced Secret.
  113. Some instances of this field may be defaulted, in others it may be required.
  114. maxLength: 253
  115. minLength: 1
  116. pattern: ^[-._a-zA-Z0-9]+$
  117. type: string
  118. name:
  119. description: The name of the Secret resource
  120. being referred to.
  121. maxLength: 253
  122. minLength: 1
  123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  124. type: string
  125. namespace:
  126. description: |-
  127. The namespace of the Secret resource being referred to.
  128. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  129. maxLength: 63
  130. minLength: 1
  131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  132. type: string
  133. type: object
  134. type: object
  135. required:
  136. - secretRef
  137. type: object
  138. workloadIdentity:
  139. description: WorkloadIdentity uses Azure Workload Identity
  140. to authenticate with Azure.
  141. properties:
  142. serviceAccountRef:
  143. description: |-
  144. ServiceAccountRef specified the service account
  145. that should be used when authenticating with WorkloadIdentity.
  146. properties:
  147. audiences:
  148. description: |-
  149. Audience specifies the `aud` claim for the service account token
  150. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  151. then this audiences will be appended to the list
  152. items:
  153. type: string
  154. type: array
  155. name:
  156. description: The name of the ServiceAccount resource
  157. being referred to.
  158. maxLength: 253
  159. minLength: 1
  160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  161. type: string
  162. namespace:
  163. description: |-
  164. Namespace of the resource being referred to.
  165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  166. maxLength: 63
  167. minLength: 1
  168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  169. type: string
  170. required:
  171. - name
  172. type: object
  173. type: object
  174. type: object
  175. environmentType:
  176. default: PublicCloud
  177. description: |-
  178. EnvironmentType specifies the Azure cloud environment endpoints to use for
  179. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  180. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  181. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  182. enum:
  183. - PublicCloud
  184. - USGovernmentCloud
  185. - ChinaCloud
  186. - GermanCloud
  187. - AzureStackCloud
  188. type: string
  189. registry:
  190. description: |-
  191. the domain name of the ACR registry
  192. e.g. foobarexample.azurecr.io
  193. type: string
  194. scope:
  195. description: |-
  196. Define the scope for the access token, e.g. pull/push access for a repository.
  197. if not provided it will return a refresh token that has full scope.
  198. Note: you need to pin it down to the repository level, there is no wildcard available.
  199. examples:
  200. repository:my-repository:pull,push
  201. repository:my-repository:pull
  202. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  203. type: string
  204. tenantId:
  205. description: TenantID configures the Azure Tenant to send
  206. requests to. Required for ServicePrincipal auth type.
  207. type: string
  208. required:
  209. - auth
  210. - registry
  211. type: object
  212. cloudsmithAccessTokenSpec:
  213. properties:
  214. apiUrl:
  215. description: APIURL configures the Cloudsmith API URL. Defaults
  216. to https://api.cloudsmith.io.
  217. type: string
  218. orgSlug:
  219. description: OrgSlug is the organization slug in Cloudsmith
  220. type: string
  221. serviceAccountRef:
  222. description: Name of the service account you are federating
  223. with
  224. properties:
  225. audiences:
  226. description: |-
  227. Audience specifies the `aud` claim for the service account token
  228. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  229. then this audiences will be appended to the list
  230. items:
  231. type: string
  232. type: array
  233. name:
  234. description: The name of the ServiceAccount resource being
  235. referred to.
  236. maxLength: 253
  237. minLength: 1
  238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  239. type: string
  240. namespace:
  241. description: |-
  242. Namespace of the resource being referred to.
  243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  244. maxLength: 63
  245. minLength: 1
  246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  247. type: string
  248. required:
  249. - name
  250. type: object
  251. serviceSlug:
  252. description: ServiceSlug is the service slug in Cloudsmith
  253. for OIDC authentication
  254. type: string
  255. required:
  256. - orgSlug
  257. - serviceAccountRef
  258. - serviceSlug
  259. type: object
  260. ecrAuthorizationTokenSpec:
  261. properties:
  262. auth:
  263. description: Auth defines how to authenticate with AWS
  264. properties:
  265. jwt:
  266. description: Authenticate against AWS using service account
  267. tokens.
  268. properties:
  269. serviceAccountRef:
  270. description: A reference to a ServiceAccount resource.
  271. properties:
  272. audiences:
  273. description: |-
  274. Audience specifies the `aud` claim for the service account token
  275. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  276. then this audiences will be appended to the list
  277. items:
  278. type: string
  279. type: array
  280. name:
  281. description: The name of the ServiceAccount resource
  282. being referred to.
  283. maxLength: 253
  284. minLength: 1
  285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  286. type: string
  287. namespace:
  288. description: |-
  289. Namespace of the resource being referred to.
  290. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  291. maxLength: 63
  292. minLength: 1
  293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  294. type: string
  295. required:
  296. - name
  297. type: object
  298. type: object
  299. secretRef:
  300. description: |-
  301. AWSAuthSecretRef holds secret references for AWS credentials
  302. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  303. properties:
  304. accessKeyIDSecretRef:
  305. description: The AccessKeyID is used for authentication
  306. properties:
  307. key:
  308. description: |-
  309. A key in the referenced Secret.
  310. Some instances of this field may be defaulted, in others it may be required.
  311. maxLength: 253
  312. minLength: 1
  313. pattern: ^[-._a-zA-Z0-9]+$
  314. type: string
  315. name:
  316. description: The name of the Secret resource being
  317. referred to.
  318. maxLength: 253
  319. minLength: 1
  320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  321. type: string
  322. namespace:
  323. description: |-
  324. The namespace of the Secret resource being referred to.
  325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  326. maxLength: 63
  327. minLength: 1
  328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  329. type: string
  330. type: object
  331. secretAccessKeySecretRef:
  332. description: The SecretAccessKey is used for authentication
  333. properties:
  334. key:
  335. description: |-
  336. A key in the referenced Secret.
  337. Some instances of this field may be defaulted, in others it may be required.
  338. maxLength: 253
  339. minLength: 1
  340. pattern: ^[-._a-zA-Z0-9]+$
  341. type: string
  342. name:
  343. description: The name of the Secret resource being
  344. referred to.
  345. maxLength: 253
  346. minLength: 1
  347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  348. type: string
  349. namespace:
  350. description: |-
  351. The namespace of the Secret resource being referred to.
  352. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  353. maxLength: 63
  354. minLength: 1
  355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  356. type: string
  357. type: object
  358. sessionTokenSecretRef:
  359. description: |-
  360. The SessionToken used for authentication
  361. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  362. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  363. properties:
  364. key:
  365. description: |-
  366. A key in the referenced Secret.
  367. Some instances of this field may be defaulted, in others it may be required.
  368. maxLength: 253
  369. minLength: 1
  370. pattern: ^[-._a-zA-Z0-9]+$
  371. type: string
  372. name:
  373. description: The name of the Secret resource being
  374. referred to.
  375. maxLength: 253
  376. minLength: 1
  377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  378. type: string
  379. namespace:
  380. description: |-
  381. The namespace of the Secret resource being referred to.
  382. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  383. maxLength: 63
  384. minLength: 1
  385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  386. type: string
  387. type: object
  388. type: object
  389. type: object
  390. region:
  391. description: Region specifies the region to operate in.
  392. type: string
  393. role:
  394. description: |-
  395. You can assume a role before making calls to the
  396. desired AWS service.
  397. type: string
  398. scope:
  399. description: |-
  400. Scope specifies the ECR service scope.
  401. Valid options are private and public.
  402. type: string
  403. required:
  404. - region
  405. type: object
  406. fakeSpec:
  407. description: FakeSpec contains the static data.
  408. properties:
  409. controller:
  410. description: |-
  411. Used to select the correct ESO controller (think: ingress.ingressClassName)
  412. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  413. type: string
  414. data:
  415. additionalProperties:
  416. type: string
  417. description: |-
  418. Data defines the static data returned
  419. by this generator.
  420. type: object
  421. type: object
  422. gcrAccessTokenSpec:
  423. properties:
  424. auth:
  425. description: Auth defines the means for authenticating with
  426. GCP
  427. properties:
  428. secretRef:
  429. properties:
  430. secretAccessKeySecretRef:
  431. description: The SecretAccessKey is used for authentication
  432. properties:
  433. key:
  434. description: |-
  435. A key in the referenced Secret.
  436. Some instances of this field may be defaulted, in others it may be required.
  437. maxLength: 253
  438. minLength: 1
  439. pattern: ^[-._a-zA-Z0-9]+$
  440. type: string
  441. name:
  442. description: The name of the Secret resource being
  443. referred to.
  444. maxLength: 253
  445. minLength: 1
  446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  447. type: string
  448. namespace:
  449. description: |-
  450. The namespace of the Secret resource being referred to.
  451. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  452. maxLength: 63
  453. minLength: 1
  454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  455. type: string
  456. type: object
  457. type: object
  458. workloadIdentity:
  459. properties:
  460. clusterLocation:
  461. type: string
  462. clusterName:
  463. type: string
  464. clusterProjectID:
  465. type: string
  466. serviceAccountRef:
  467. description: A reference to a ServiceAccount resource.
  468. properties:
  469. audiences:
  470. description: |-
  471. Audience specifies the `aud` claim for the service account token
  472. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  473. then this audiences will be appended to the list
  474. items:
  475. type: string
  476. type: array
  477. name:
  478. description: The name of the ServiceAccount resource
  479. being referred to.
  480. maxLength: 253
  481. minLength: 1
  482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  483. type: string
  484. namespace:
  485. description: |-
  486. Namespace of the resource being referred to.
  487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  488. maxLength: 63
  489. minLength: 1
  490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  491. type: string
  492. required:
  493. - name
  494. type: object
  495. required:
  496. - clusterLocation
  497. - clusterName
  498. - serviceAccountRef
  499. type: object
  500. workloadIdentityFederation:
  501. description: GCPWorkloadIdentityFederation holds the configurations
  502. required for generating federated access tokens.
  503. properties:
  504. audience:
  505. description: |-
  506. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  507. If specified, Audience found in the external account credential config will be overridden with the configured value.
  508. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  509. type: string
  510. awsSecurityCredentials:
  511. description: |-
  512. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  513. when using the AWS metadata server is not an option.
  514. properties:
  515. awsCredentialsSecretRef:
  516. description: |-
  517. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  518. Secret should be created with below names for keys
  519. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  520. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  521. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  522. properties:
  523. name:
  524. description: name of the secret.
  525. maxLength: 253
  526. minLength: 1
  527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  528. type: string
  529. namespace:
  530. description: namespace in which the secret
  531. exists. If empty, secret will looked up
  532. in local namespace.
  533. maxLength: 63
  534. minLength: 1
  535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  536. type: string
  537. required:
  538. - name
  539. type: object
  540. region:
  541. description: region is for configuring the AWS
  542. region to be used.
  543. example: ap-south-1
  544. maxLength: 50
  545. minLength: 1
  546. pattern: ^[a-z0-9-]+$
  547. type: string
  548. required:
  549. - awsCredentialsSecretRef
  550. - region
  551. type: object
  552. credConfig:
  553. description: |-
  554. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  555. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  556. serviceAccountRef must be used by providing operators service account details.
  557. properties:
  558. key:
  559. description: key name holding the external account
  560. credential config.
  561. maxLength: 253
  562. minLength: 1
  563. pattern: ^[-._a-zA-Z0-9]+$
  564. type: string
  565. name:
  566. description: name of the configmap.
  567. maxLength: 253
  568. minLength: 1
  569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  570. type: string
  571. namespace:
  572. description: namespace in which the configmap
  573. exists. If empty, configmap will looked up in
  574. local namespace.
  575. maxLength: 63
  576. minLength: 1
  577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  578. type: string
  579. required:
  580. - key
  581. - name
  582. type: object
  583. externalTokenEndpoint:
  584. description: |-
  585. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  586. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  587. URL is having the expected value.
  588. type: string
  589. serviceAccountRef:
  590. description: |-
  591. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  592. when Kubernetes is configured as provider in workload identity pool.
  593. properties:
  594. audiences:
  595. description: |-
  596. Audience specifies the `aud` claim for the service account token
  597. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  598. then this audiences will be appended to the list
  599. items:
  600. type: string
  601. type: array
  602. name:
  603. description: The name of the ServiceAccount resource
  604. being referred to.
  605. maxLength: 253
  606. minLength: 1
  607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  608. type: string
  609. namespace:
  610. description: |-
  611. Namespace of the resource being referred to.
  612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  613. maxLength: 63
  614. minLength: 1
  615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  616. type: string
  617. required:
  618. - name
  619. type: object
  620. type: object
  621. type: object
  622. projectID:
  623. description: ProjectID defines which project to use to authenticate
  624. with
  625. type: string
  626. required:
  627. - auth
  628. - projectID
  629. type: object
  630. githubAccessTokenSpec:
  631. properties:
  632. appID:
  633. type: string
  634. auth:
  635. description: Auth configures how ESO authenticates with a
  636. Github instance.
  637. properties:
  638. privateKey:
  639. properties:
  640. secretRef:
  641. description: |-
  642. A reference to a specific 'key' within a Secret resource.
  643. In some instances, `key` is a required field.
  644. properties:
  645. key:
  646. description: |-
  647. A key in the referenced Secret.
  648. Some instances of this field may be defaulted, in others it may be required.
  649. maxLength: 253
  650. minLength: 1
  651. pattern: ^[-._a-zA-Z0-9]+$
  652. type: string
  653. name:
  654. description: The name of the Secret resource being
  655. referred to.
  656. maxLength: 253
  657. minLength: 1
  658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  659. type: string
  660. namespace:
  661. description: |-
  662. The namespace of the Secret resource being referred to.
  663. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  664. maxLength: 63
  665. minLength: 1
  666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  667. type: string
  668. type: object
  669. required:
  670. - secretRef
  671. type: object
  672. required:
  673. - privateKey
  674. type: object
  675. installID:
  676. type: string
  677. permissions:
  678. additionalProperties:
  679. type: string
  680. description: Map of permissions the token will have. If omitted,
  681. defaults to all permissions the GitHub App has.
  682. type: object
  683. repositories:
  684. description: |-
  685. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  686. is installed to.
  687. items:
  688. type: string
  689. type: array
  690. url:
  691. description: URL configures the Github instance URL. Defaults
  692. to https://github.com/.
  693. type: string
  694. required:
  695. - appID
  696. - auth
  697. - installID
  698. type: object
  699. grafanaSpec:
  700. description: GrafanaSpec controls the behavior of the grafana
  701. generator.
  702. properties:
  703. auth:
  704. description: |-
  705. Auth is the authentication configuration to authenticate
  706. against the Grafana instance.
  707. properties:
  708. basic:
  709. description: |-
  710. Basic auth credentials used to authenticate against the Grafana instance.
  711. Note: you need a token which has elevated permissions to create service accounts.
  712. See here for the documentation on basic roles offered by Grafana:
  713. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  714. properties:
  715. password:
  716. description: A basic auth password used to authenticate
  717. against the Grafana instance.
  718. properties:
  719. key:
  720. description: The key where the token is found.
  721. maxLength: 253
  722. minLength: 1
  723. pattern: ^[-._a-zA-Z0-9]+$
  724. type: string
  725. name:
  726. description: The name of the Secret resource being
  727. referred to.
  728. maxLength: 253
  729. minLength: 1
  730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  731. type: string
  732. type: object
  733. username:
  734. description: A basic auth username used to authenticate
  735. against the Grafana instance.
  736. type: string
  737. required:
  738. - password
  739. - username
  740. type: object
  741. token:
  742. description: |-
  743. A service account token used to authenticate against the Grafana instance.
  744. Note: you need a token which has elevated permissions to create service accounts.
  745. See here for the documentation on basic roles offered by Grafana:
  746. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  747. properties:
  748. key:
  749. description: The key where the token is found.
  750. maxLength: 253
  751. minLength: 1
  752. pattern: ^[-._a-zA-Z0-9]+$
  753. type: string
  754. name:
  755. description: The name of the Secret resource being
  756. referred to.
  757. maxLength: 253
  758. minLength: 1
  759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  760. type: string
  761. type: object
  762. type: object
  763. serviceAccount:
  764. description: |-
  765. ServiceAccount is the configuration for the service account that
  766. is supposed to be generated by the generator.
  767. properties:
  768. name:
  769. description: Name is the name of the service account that
  770. will be created by ESO.
  771. type: string
  772. role:
  773. description: |-
  774. Role is the role of the service account.
  775. See here for the documentation on basic roles offered by Grafana:
  776. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  777. type: string
  778. required:
  779. - name
  780. - role
  781. type: object
  782. url:
  783. description: URL is the URL of the Grafana instance.
  784. type: string
  785. required:
  786. - auth
  787. - serviceAccount
  788. - url
  789. type: object
  790. mfaSpec:
  791. description: MFASpec controls the behavior of the mfa generator.
  792. properties:
  793. algorithm:
  794. description: Algorithm to use for encoding. Defaults to SHA1
  795. as per the RFC.
  796. type: string
  797. length:
  798. description: Length defines the token length. Defaults to
  799. 6 characters.
  800. type: integer
  801. secret:
  802. description: Secret is a secret selector to a secret containing
  803. the seed secret to generate the TOTP value from.
  804. properties:
  805. key:
  806. description: |-
  807. A key in the referenced Secret.
  808. Some instances of this field may be defaulted, in others it may be required.
  809. maxLength: 253
  810. minLength: 1
  811. pattern: ^[-._a-zA-Z0-9]+$
  812. type: string
  813. name:
  814. description: The name of the Secret resource being referred
  815. to.
  816. maxLength: 253
  817. minLength: 1
  818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  819. type: string
  820. namespace:
  821. description: |-
  822. The namespace of the Secret resource being referred to.
  823. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  824. maxLength: 63
  825. minLength: 1
  826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  827. type: string
  828. type: object
  829. timePeriod:
  830. description: TimePeriod defines how long the token can be
  831. active. Defaults to 30 seconds.
  832. type: integer
  833. when:
  834. description: When defines a time parameter that can be used
  835. to pin the origin time of the generated token.
  836. format: date-time
  837. type: string
  838. required:
  839. - secret
  840. type: object
  841. passwordSpec:
  842. description: PasswordSpec controls the behavior of the password
  843. generator.
  844. properties:
  845. allowRepeat:
  846. default: false
  847. description: set AllowRepeat to true to allow repeating characters.
  848. type: boolean
  849. digits:
  850. description: |-
  851. Digits specifies the number of digits in the generated
  852. password. If omitted it defaults to 25% of the length of the password
  853. type: integer
  854. length:
  855. default: 24
  856. description: |-
  857. Length of the password to be generated.
  858. Defaults to 24
  859. type: integer
  860. noUpper:
  861. default: false
  862. description: Set NoUpper to disable uppercase characters
  863. type: boolean
  864. symbolCharacters:
  865. description: |-
  866. SymbolCharacters specifies the special characters that should be used
  867. in the generated password.
  868. type: string
  869. symbols:
  870. description: |-
  871. Symbols specifies the number of symbol characters in the generated
  872. password. If omitted it defaults to 25% of the length of the password
  873. type: integer
  874. required:
  875. - allowRepeat
  876. - length
  877. - noUpper
  878. type: object
  879. quayAccessTokenSpec:
  880. properties:
  881. robotAccount:
  882. description: Name of the robot account you are federating
  883. with
  884. type: string
  885. serviceAccountRef:
  886. description: Name of the service account you are federating
  887. with
  888. properties:
  889. audiences:
  890. description: |-
  891. Audience specifies the `aud` claim for the service account token
  892. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  893. then this audiences will be appended to the list
  894. items:
  895. type: string
  896. type: array
  897. name:
  898. description: The name of the ServiceAccount resource being
  899. referred to.
  900. maxLength: 253
  901. minLength: 1
  902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  903. type: string
  904. namespace:
  905. description: |-
  906. Namespace of the resource being referred to.
  907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  908. maxLength: 63
  909. minLength: 1
  910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  911. type: string
  912. required:
  913. - name
  914. type: object
  915. url:
  916. description: URL configures the Quay instance URL. Defaults
  917. to quay.io.
  918. type: string
  919. required:
  920. - robotAccount
  921. - serviceAccountRef
  922. type: object
  923. sshKeySpec:
  924. description: SSHKeySpec controls the behavior of the ssh key generator.
  925. properties:
  926. comment:
  927. description: Comment specifies an optional comment for the
  928. SSH key
  929. type: string
  930. keySize:
  931. description: |-
  932. KeySize specifies the key size for RSA keys (default: 2048)
  933. For RSA keys: 2048, 3072, 4096
  934. Ignored for ed25519 keys
  935. maximum: 8192
  936. minimum: 256
  937. type: integer
  938. keyType:
  939. default: rsa
  940. description: KeyType specifies the SSH key type (rsa, ed25519)
  941. enum:
  942. - rsa
  943. - ed25519
  944. type: string
  945. type: object
  946. stsSessionTokenSpec:
  947. properties:
  948. auth:
  949. description: Auth defines how to authenticate with AWS
  950. properties:
  951. jwt:
  952. description: Authenticate against AWS using service account
  953. tokens.
  954. properties:
  955. serviceAccountRef:
  956. description: A reference to a ServiceAccount resource.
  957. properties:
  958. audiences:
  959. description: |-
  960. Audience specifies the `aud` claim for the service account token
  961. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  962. then this audiences will be appended to the list
  963. items:
  964. type: string
  965. type: array
  966. name:
  967. description: The name of the ServiceAccount resource
  968. being referred to.
  969. maxLength: 253
  970. minLength: 1
  971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  972. type: string
  973. namespace:
  974. description: |-
  975. Namespace of the resource being referred to.
  976. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  977. maxLength: 63
  978. minLength: 1
  979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  980. type: string
  981. required:
  982. - name
  983. type: object
  984. type: object
  985. secretRef:
  986. description: |-
  987. AWSAuthSecretRef holds secret references for AWS credentials
  988. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  989. properties:
  990. accessKeyIDSecretRef:
  991. description: The AccessKeyID is used for authentication
  992. properties:
  993. key:
  994. description: |-
  995. A key in the referenced Secret.
  996. Some instances of this field may be defaulted, in others it may be required.
  997. maxLength: 253
  998. minLength: 1
  999. pattern: ^[-._a-zA-Z0-9]+$
  1000. type: string
  1001. name:
  1002. description: The name of the Secret resource being
  1003. referred to.
  1004. maxLength: 253
  1005. minLength: 1
  1006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1007. type: string
  1008. namespace:
  1009. description: |-
  1010. The namespace of the Secret resource being referred to.
  1011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1012. maxLength: 63
  1013. minLength: 1
  1014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1015. type: string
  1016. type: object
  1017. secretAccessKeySecretRef:
  1018. description: The SecretAccessKey is used for authentication
  1019. properties:
  1020. key:
  1021. description: |-
  1022. A key in the referenced Secret.
  1023. Some instances of this field may be defaulted, in others it may be required.
  1024. maxLength: 253
  1025. minLength: 1
  1026. pattern: ^[-._a-zA-Z0-9]+$
  1027. type: string
  1028. name:
  1029. description: The name of the Secret resource being
  1030. referred to.
  1031. maxLength: 253
  1032. minLength: 1
  1033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1034. type: string
  1035. namespace:
  1036. description: |-
  1037. The namespace of the Secret resource being referred to.
  1038. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1039. maxLength: 63
  1040. minLength: 1
  1041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1042. type: string
  1043. type: object
  1044. sessionTokenSecretRef:
  1045. description: |-
  1046. The SessionToken used for authentication
  1047. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  1048. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  1049. properties:
  1050. key:
  1051. description: |-
  1052. A key in the referenced Secret.
  1053. Some instances of this field may be defaulted, in others it may be required.
  1054. maxLength: 253
  1055. minLength: 1
  1056. pattern: ^[-._a-zA-Z0-9]+$
  1057. type: string
  1058. name:
  1059. description: The name of the Secret resource being
  1060. referred to.
  1061. maxLength: 253
  1062. minLength: 1
  1063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1064. type: string
  1065. namespace:
  1066. description: |-
  1067. The namespace of the Secret resource being referred to.
  1068. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1069. maxLength: 63
  1070. minLength: 1
  1071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1072. type: string
  1073. type: object
  1074. type: object
  1075. type: object
  1076. region:
  1077. description: Region specifies the region to operate in.
  1078. type: string
  1079. requestParameters:
  1080. description: RequestParameters contains parameters that can
  1081. be passed to the STS service.
  1082. properties:
  1083. serialNumber:
  1084. description: |-
  1085. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  1086. the GetSessionToken call.
  1087. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  1088. (such as arn:aws:iam::123456789012:mfa/user)
  1089. type: string
  1090. sessionDuration:
  1091. format: int32
  1092. type: integer
  1093. tokenCode:
  1094. description: TokenCode is the value provided by the MFA
  1095. device, if MFA is required.
  1096. type: string
  1097. type: object
  1098. role:
  1099. description: |-
  1100. You can assume a role before making calls to the
  1101. desired AWS service.
  1102. type: string
  1103. required:
  1104. - region
  1105. type: object
  1106. uuidSpec:
  1107. description: UUIDSpec controls the behavior of the uuid generator.
  1108. type: object
  1109. vaultDynamicSecretSpec:
  1110. properties:
  1111. allowEmptyResponse:
  1112. default: false
  1113. description: Do not fail if no secrets are found. Useful for
  1114. requests where no data is expected.
  1115. type: boolean
  1116. controller:
  1117. description: |-
  1118. Used to select the correct ESO controller (think: ingress.ingressClassName)
  1119. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  1120. type: string
  1121. method:
  1122. description: Vault API method to use (GET/POST/other)
  1123. type: string
  1124. parameters:
  1125. description: Parameters to pass to Vault write (for non-GET
  1126. methods)
  1127. x-kubernetes-preserve-unknown-fields: true
  1128. path:
  1129. description: Vault path to obtain the dynamic secret from
  1130. type: string
  1131. provider:
  1132. description: Vault provider common spec
  1133. properties:
  1134. auth:
  1135. description: Auth configures how secret-manager authenticates
  1136. with the Vault server.
  1137. properties:
  1138. appRole:
  1139. description: |-
  1140. AppRole authenticates with Vault using the App Role auth mechanism,
  1141. with the role and secret stored in a Kubernetes Secret resource.
  1142. properties:
  1143. path:
  1144. default: approle
  1145. description: |-
  1146. Path where the App Role authentication backend is mounted
  1147. in Vault, e.g: "approle"
  1148. type: string
  1149. roleId:
  1150. description: |-
  1151. RoleID configured in the App Role authentication backend when setting
  1152. up the authentication backend in Vault.
  1153. type: string
  1154. roleRef:
  1155. description: |-
  1156. Reference to a key in a Secret that contains the App Role ID used
  1157. to authenticate with Vault.
  1158. The `key` field must be specified and denotes which entry within the Secret
  1159. resource is used as the app role id.
  1160. properties:
  1161. key:
  1162. description: |-
  1163. A key in the referenced Secret.
  1164. Some instances of this field may be defaulted, in others it may be required.
  1165. maxLength: 253
  1166. minLength: 1
  1167. pattern: ^[-._a-zA-Z0-9]+$
  1168. type: string
  1169. name:
  1170. description: The name of the Secret resource
  1171. being referred to.
  1172. maxLength: 253
  1173. minLength: 1
  1174. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1175. type: string
  1176. namespace:
  1177. description: |-
  1178. The namespace of the Secret resource being referred to.
  1179. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1180. maxLength: 63
  1181. minLength: 1
  1182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1183. type: string
  1184. type: object
  1185. secretRef:
  1186. description: |-
  1187. Reference to a key in a Secret that contains the App Role secret used
  1188. to authenticate with Vault.
  1189. The `key` field must be specified and denotes which entry within the Secret
  1190. resource is used as the app role secret.
  1191. properties:
  1192. key:
  1193. description: |-
  1194. A key in the referenced Secret.
  1195. Some instances of this field may be defaulted, in others it may be required.
  1196. maxLength: 253
  1197. minLength: 1
  1198. pattern: ^[-._a-zA-Z0-9]+$
  1199. type: string
  1200. name:
  1201. description: The name of the Secret resource
  1202. being referred to.
  1203. maxLength: 253
  1204. minLength: 1
  1205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1206. type: string
  1207. namespace:
  1208. description: |-
  1209. The namespace of the Secret resource being referred to.
  1210. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1211. maxLength: 63
  1212. minLength: 1
  1213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1214. type: string
  1215. type: object
  1216. required:
  1217. - path
  1218. - secretRef
  1219. type: object
  1220. cert:
  1221. description: |-
  1222. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  1223. Cert authentication method
  1224. properties:
  1225. clientCert:
  1226. description: |-
  1227. ClientCert is a certificate to authenticate using the Cert Vault
  1228. authentication method
  1229. properties:
  1230. key:
  1231. description: |-
  1232. A key in the referenced Secret.
  1233. Some instances of this field may be defaulted, in others it may be required.
  1234. maxLength: 253
  1235. minLength: 1
  1236. pattern: ^[-._a-zA-Z0-9]+$
  1237. type: string
  1238. name:
  1239. description: The name of the Secret resource
  1240. being referred to.
  1241. maxLength: 253
  1242. minLength: 1
  1243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1244. type: string
  1245. namespace:
  1246. description: |-
  1247. The namespace of the Secret resource being referred to.
  1248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1249. maxLength: 63
  1250. minLength: 1
  1251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1252. type: string
  1253. type: object
  1254. path:
  1255. default: cert
  1256. description: |-
  1257. Path where the Certificate authentication backend is mounted
  1258. in Vault, e.g: "cert"
  1259. type: string
  1260. secretRef:
  1261. description: |-
  1262. SecretRef to a key in a Secret resource containing client private key to
  1263. authenticate with Vault using the Cert authentication method
  1264. properties:
  1265. key:
  1266. description: |-
  1267. A key in the referenced Secret.
  1268. Some instances of this field may be defaulted, in others it may be required.
  1269. maxLength: 253
  1270. minLength: 1
  1271. pattern: ^[-._a-zA-Z0-9]+$
  1272. type: string
  1273. name:
  1274. description: The name of the Secret resource
  1275. being referred to.
  1276. maxLength: 253
  1277. minLength: 1
  1278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1279. type: string
  1280. namespace:
  1281. description: |-
  1282. The namespace of the Secret resource being referred to.
  1283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1284. maxLength: 63
  1285. minLength: 1
  1286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1287. type: string
  1288. type: object
  1289. type: object
  1290. iam:
  1291. description: |-
  1292. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  1293. AWS IAM authentication method
  1294. properties:
  1295. externalID:
  1296. description: AWS External ID set on assumed IAM
  1297. roles
  1298. type: string
  1299. jwt:
  1300. description: Specify a service account with IRSA
  1301. enabled
  1302. properties:
  1303. serviceAccountRef:
  1304. description: A reference to a ServiceAccount
  1305. resource.
  1306. properties:
  1307. audiences:
  1308. description: |-
  1309. Audience specifies the `aud` claim for the service account token
  1310. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1311. then this audiences will be appended to the list
  1312. items:
  1313. type: string
  1314. type: array
  1315. name:
  1316. description: The name of the ServiceAccount
  1317. resource being referred to.
  1318. maxLength: 253
  1319. minLength: 1
  1320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1321. type: string
  1322. namespace:
  1323. description: |-
  1324. Namespace of the resource being referred to.
  1325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1326. maxLength: 63
  1327. minLength: 1
  1328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1329. type: string
  1330. required:
  1331. - name
  1332. type: object
  1333. type: object
  1334. path:
  1335. description: 'Path where the AWS auth method is
  1336. enabled in Vault, e.g: "aws"'
  1337. type: string
  1338. region:
  1339. description: AWS region
  1340. type: string
  1341. role:
  1342. description: This is the AWS role to be assumed
  1343. before talking to vault
  1344. type: string
  1345. secretRef:
  1346. description: Specify credentials in a Secret object
  1347. properties:
  1348. accessKeyIDSecretRef:
  1349. description: The AccessKeyID is used for authentication
  1350. properties:
  1351. key:
  1352. description: |-
  1353. A key in the referenced Secret.
  1354. Some instances of this field may be defaulted, in others it may be required.
  1355. maxLength: 253
  1356. minLength: 1
  1357. pattern: ^[-._a-zA-Z0-9]+$
  1358. type: string
  1359. name:
  1360. description: The name of the Secret resource
  1361. being referred to.
  1362. maxLength: 253
  1363. minLength: 1
  1364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1365. type: string
  1366. namespace:
  1367. description: |-
  1368. The namespace of the Secret resource being referred to.
  1369. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1370. maxLength: 63
  1371. minLength: 1
  1372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1373. type: string
  1374. type: object
  1375. secretAccessKeySecretRef:
  1376. description: The SecretAccessKey is used for
  1377. authentication
  1378. properties:
  1379. key:
  1380. description: |-
  1381. A key in the referenced Secret.
  1382. Some instances of this field may be defaulted, in others it may be required.
  1383. maxLength: 253
  1384. minLength: 1
  1385. pattern: ^[-._a-zA-Z0-9]+$
  1386. type: string
  1387. name:
  1388. description: The name of the Secret resource
  1389. being referred to.
  1390. maxLength: 253
  1391. minLength: 1
  1392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1393. type: string
  1394. namespace:
  1395. description: |-
  1396. The namespace of the Secret resource being referred to.
  1397. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1398. maxLength: 63
  1399. minLength: 1
  1400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1401. type: string
  1402. type: object
  1403. sessionTokenSecretRef:
  1404. description: |-
  1405. The SessionToken used for authentication
  1406. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  1407. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  1408. properties:
  1409. key:
  1410. description: |-
  1411. A key in the referenced Secret.
  1412. Some instances of this field may be defaulted, in others it may be required.
  1413. maxLength: 253
  1414. minLength: 1
  1415. pattern: ^[-._a-zA-Z0-9]+$
  1416. type: string
  1417. name:
  1418. description: The name of the Secret resource
  1419. being referred to.
  1420. maxLength: 253
  1421. minLength: 1
  1422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1423. type: string
  1424. namespace:
  1425. description: |-
  1426. The namespace of the Secret resource being referred to.
  1427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1428. maxLength: 63
  1429. minLength: 1
  1430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1431. type: string
  1432. type: object
  1433. type: object
  1434. vaultAwsIamServerID:
  1435. description: 'X-Vault-AWS-IAM-Server-ID is an
  1436. additional header used by Vault IAM auth method
  1437. to mitigate against different types of replay
  1438. attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  1439. type: string
  1440. vaultRole:
  1441. description: Vault Role. In vault, a role describes
  1442. an identity with a set of permissions, groups,
  1443. or policies you want to attach a user of the
  1444. secrets engine
  1445. type: string
  1446. required:
  1447. - vaultRole
  1448. type: object
  1449. jwt:
  1450. description: |-
  1451. Jwt authenticates with Vault by passing role and JWT token using the
  1452. JWT/OIDC authentication method
  1453. properties:
  1454. kubernetesServiceAccountToken:
  1455. description: |-
  1456. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  1457. a token for with the `TokenRequest` API.
  1458. properties:
  1459. audiences:
  1460. description: |-
  1461. Optional audiences field that will be used to request a temporary Kubernetes service
  1462. account token for the service account referenced by `serviceAccountRef`.
  1463. Defaults to a single audience `vault` it not specified.
  1464. Deprecated: use serviceAccountRef.Audiences instead
  1465. items:
  1466. type: string
  1467. type: array
  1468. expirationSeconds:
  1469. description: |-
  1470. Optional expiration time in seconds that will be used to request a temporary
  1471. Kubernetes service account token for the service account referenced by
  1472. `serviceAccountRef`.
  1473. Deprecated: this will be removed in the future.
  1474. Defaults to 10 minutes.
  1475. format: int64
  1476. type: integer
  1477. serviceAccountRef:
  1478. description: Service account field containing
  1479. the name of a kubernetes ServiceAccount.
  1480. properties:
  1481. audiences:
  1482. description: |-
  1483. Audience specifies the `aud` claim for the service account token
  1484. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1485. then this audiences will be appended to the list
  1486. items:
  1487. type: string
  1488. type: array
  1489. name:
  1490. description: The name of the ServiceAccount
  1491. resource being referred to.
  1492. maxLength: 253
  1493. minLength: 1
  1494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1495. type: string
  1496. namespace:
  1497. description: |-
  1498. Namespace of the resource being referred to.
  1499. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1500. maxLength: 63
  1501. minLength: 1
  1502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1503. type: string
  1504. required:
  1505. - name
  1506. type: object
  1507. required:
  1508. - serviceAccountRef
  1509. type: object
  1510. path:
  1511. default: jwt
  1512. description: |-
  1513. Path where the JWT authentication backend is mounted
  1514. in Vault, e.g: "jwt"
  1515. type: string
  1516. role:
  1517. description: |-
  1518. Role is a JWT role to authenticate using the JWT/OIDC Vault
  1519. authentication method
  1520. type: string
  1521. secretRef:
  1522. description: |-
  1523. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1524. authenticate with Vault using the JWT/OIDC authentication method.
  1525. properties:
  1526. key:
  1527. description: |-
  1528. A key in the referenced Secret.
  1529. Some instances of this field may be defaulted, in others it may be required.
  1530. maxLength: 253
  1531. minLength: 1
  1532. pattern: ^[-._a-zA-Z0-9]+$
  1533. type: string
  1534. name:
  1535. description: The name of the Secret resource
  1536. being referred to.
  1537. maxLength: 253
  1538. minLength: 1
  1539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1540. type: string
  1541. namespace:
  1542. description: |-
  1543. The namespace of the Secret resource being referred to.
  1544. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1545. maxLength: 63
  1546. minLength: 1
  1547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1548. type: string
  1549. type: object
  1550. required:
  1551. - path
  1552. type: object
  1553. kubernetes:
  1554. description: |-
  1555. Kubernetes authenticates with Vault by passing the ServiceAccount
  1556. token stored in the named Secret resource to the Vault server.
  1557. properties:
  1558. mountPath:
  1559. default: kubernetes
  1560. description: |-
  1561. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  1562. "kubernetes"
  1563. type: string
  1564. role:
  1565. description: |-
  1566. A required field containing the Vault Role to assume. A Role binds a
  1567. Kubernetes ServiceAccount with a set of Vault policies.
  1568. type: string
  1569. secretRef:
  1570. description: |-
  1571. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1572. for authenticating with Vault. If a name is specified without a key,
  1573. `token` is the default. If one is not specified, the one bound to
  1574. the controller will be used.
  1575. properties:
  1576. key:
  1577. description: |-
  1578. A key in the referenced Secret.
  1579. Some instances of this field may be defaulted, in others it may be required.
  1580. maxLength: 253
  1581. minLength: 1
  1582. pattern: ^[-._a-zA-Z0-9]+$
  1583. type: string
  1584. name:
  1585. description: The name of the Secret resource
  1586. being referred to.
  1587. maxLength: 253
  1588. minLength: 1
  1589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1590. type: string
  1591. namespace:
  1592. description: |-
  1593. The namespace of the Secret resource being referred to.
  1594. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1595. maxLength: 63
  1596. minLength: 1
  1597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1598. type: string
  1599. type: object
  1600. serviceAccountRef:
  1601. description: |-
  1602. Optional service account field containing the name of a kubernetes ServiceAccount.
  1603. If the service account is specified, the service account secret token JWT will be used
  1604. for authenticating with Vault. If the service account selector is not supplied,
  1605. the secretRef will be used instead.
  1606. properties:
  1607. audiences:
  1608. description: |-
  1609. Audience specifies the `aud` claim for the service account token
  1610. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1611. then this audiences will be appended to the list
  1612. items:
  1613. type: string
  1614. type: array
  1615. name:
  1616. description: The name of the ServiceAccount
  1617. resource being referred to.
  1618. maxLength: 253
  1619. minLength: 1
  1620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1621. type: string
  1622. namespace:
  1623. description: |-
  1624. Namespace of the resource being referred to.
  1625. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1626. maxLength: 63
  1627. minLength: 1
  1628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1629. type: string
  1630. required:
  1631. - name
  1632. type: object
  1633. required:
  1634. - mountPath
  1635. - role
  1636. type: object
  1637. ldap:
  1638. description: |-
  1639. Ldap authenticates with Vault by passing username/password pair using
  1640. the LDAP authentication method
  1641. properties:
  1642. path:
  1643. default: ldap
  1644. description: |-
  1645. Path where the LDAP authentication backend is mounted
  1646. in Vault, e.g: "ldap"
  1647. type: string
  1648. secretRef:
  1649. description: |-
  1650. SecretRef to a key in a Secret resource containing password for the LDAP
  1651. user used to authenticate with Vault using the LDAP authentication
  1652. method
  1653. properties:
  1654. key:
  1655. description: |-
  1656. A key in the referenced Secret.
  1657. Some instances of this field may be defaulted, in others it may be required.
  1658. maxLength: 253
  1659. minLength: 1
  1660. pattern: ^[-._a-zA-Z0-9]+$
  1661. type: string
  1662. name:
  1663. description: The name of the Secret resource
  1664. being referred to.
  1665. maxLength: 253
  1666. minLength: 1
  1667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1668. type: string
  1669. namespace:
  1670. description: |-
  1671. The namespace of the Secret resource being referred to.
  1672. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1673. maxLength: 63
  1674. minLength: 1
  1675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1676. type: string
  1677. type: object
  1678. username:
  1679. description: |-
  1680. Username is an LDAP username used to authenticate using the LDAP Vault
  1681. authentication method
  1682. type: string
  1683. required:
  1684. - path
  1685. - username
  1686. type: object
  1687. namespace:
  1688. description: |-
  1689. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  1690. Namespaces is a set of features within Vault Enterprise that allows
  1691. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  1692. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  1693. This will default to Vault.Namespace field if set, or empty otherwise
  1694. type: string
  1695. tokenSecretRef:
  1696. description: TokenSecretRef authenticates with Vault
  1697. by presenting a token.
  1698. properties:
  1699. key:
  1700. description: |-
  1701. A key in the referenced Secret.
  1702. Some instances of this field may be defaulted, in others it may be required.
  1703. maxLength: 253
  1704. minLength: 1
  1705. pattern: ^[-._a-zA-Z0-9]+$
  1706. type: string
  1707. name:
  1708. description: The name of the Secret resource being
  1709. referred to.
  1710. maxLength: 253
  1711. minLength: 1
  1712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1713. type: string
  1714. namespace:
  1715. description: |-
  1716. The namespace of the Secret resource being referred to.
  1717. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1718. maxLength: 63
  1719. minLength: 1
  1720. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1721. type: string
  1722. type: object
  1723. userPass:
  1724. description: UserPass authenticates with Vault by
  1725. passing username/password pair
  1726. properties:
  1727. path:
  1728. default: userpass
  1729. description: |-
  1730. Path where the UserPassword authentication backend is mounted
  1731. in Vault, e.g: "userpass"
  1732. type: string
  1733. secretRef:
  1734. description: |-
  1735. SecretRef to a key in a Secret resource containing password for the
  1736. user used to authenticate with Vault using the UserPass authentication
  1737. method
  1738. properties:
  1739. key:
  1740. description: |-
  1741. A key in the referenced Secret.
  1742. Some instances of this field may be defaulted, in others it may be required.
  1743. maxLength: 253
  1744. minLength: 1
  1745. pattern: ^[-._a-zA-Z0-9]+$
  1746. type: string
  1747. name:
  1748. description: The name of the Secret resource
  1749. being referred to.
  1750. maxLength: 253
  1751. minLength: 1
  1752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1753. type: string
  1754. namespace:
  1755. description: |-
  1756. The namespace of the Secret resource being referred to.
  1757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1758. maxLength: 63
  1759. minLength: 1
  1760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1761. type: string
  1762. type: object
  1763. username:
  1764. description: |-
  1765. Username is a username used to authenticate using the UserPass Vault
  1766. authentication method
  1767. type: string
  1768. required:
  1769. - path
  1770. - username
  1771. type: object
  1772. type: object
  1773. caBundle:
  1774. description: |-
  1775. PEM encoded CA bundle used to validate Vault server certificate. Only used
  1776. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1777. plain HTTP protocol connection. If not set the system root certificates
  1778. are used to validate the TLS connection.
  1779. format: byte
  1780. type: string
  1781. caProvider:
  1782. description: The provider for the CA bundle to use to
  1783. validate Vault server certificate.
  1784. properties:
  1785. key:
  1786. description: The key where the CA certificate can
  1787. be found in the Secret or ConfigMap.
  1788. maxLength: 253
  1789. minLength: 1
  1790. pattern: ^[-._a-zA-Z0-9]+$
  1791. type: string
  1792. name:
  1793. description: The name of the object located at the
  1794. provider type.
  1795. maxLength: 253
  1796. minLength: 1
  1797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1798. type: string
  1799. namespace:
  1800. description: |-
  1801. The namespace the Provider type is in.
  1802. Can only be defined when used in a ClusterSecretStore.
  1803. maxLength: 63
  1804. minLength: 1
  1805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1806. type: string
  1807. type:
  1808. description: The type of provider to use such as "Secret",
  1809. or "ConfigMap".
  1810. enum:
  1811. - Secret
  1812. - ConfigMap
  1813. type: string
  1814. required:
  1815. - name
  1816. - type
  1817. type: object
  1818. checkAndSet:
  1819. description: |-
  1820. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  1821. Only applies to Vault KV v2 stores. When enabled, write operations must include
  1822. the current version of the secret to prevent unintentional overwrites.
  1823. properties:
  1824. required:
  1825. description: |-
  1826. Required when true, all write operations must include a check-and-set parameter.
  1827. This helps prevent unintentional overwrites of secrets.
  1828. type: boolean
  1829. type: object
  1830. forwardInconsistent:
  1831. description: |-
  1832. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  1833. leader instead of simply retrying within a loop. This can increase performance if
  1834. the option is enabled serverside.
  1835. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1836. type: boolean
  1837. headers:
  1838. additionalProperties:
  1839. type: string
  1840. description: Headers to be added in Vault request
  1841. type: object
  1842. namespace:
  1843. description: |-
  1844. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  1845. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  1846. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  1847. type: string
  1848. path:
  1849. description: |-
  1850. Path is the mount path of the Vault KV backend endpoint, e.g:
  1851. "secret". The v2 KV secret engine version specific "/data" path suffix
  1852. for fetching secrets from Vault is optional and will be appended
  1853. if not present in specified path.
  1854. type: string
  1855. readYourWrites:
  1856. description: |-
  1857. ReadYourWrites ensures isolated read-after-write semantics by
  1858. providing discovered cluster replication states in each request.
  1859. More information about eventual consistency in Vault can be found here
  1860. https://www.vaultproject.io/docs/enterprise/consistency
  1861. type: boolean
  1862. server:
  1863. description: 'Server is the connection address for the
  1864. Vault server, e.g: "https://vault.example.com:8200".'
  1865. type: string
  1866. tls:
  1867. description: |-
  1868. The configuration used for client side related TLS communication, when the Vault server
  1869. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  1870. This parameter is ignored for plain HTTP protocol connection.
  1871. It's worth noting this configuration is different from the "TLS certificates auth method",
  1872. which is available under the `auth.cert` section.
  1873. properties:
  1874. certSecretRef:
  1875. description: |-
  1876. CertSecretRef is a certificate added to the transport layer
  1877. when communicating with the Vault server.
  1878. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  1879. properties:
  1880. key:
  1881. description: |-
  1882. A key in the referenced Secret.
  1883. Some instances of this field may be defaulted, in others it may be required.
  1884. maxLength: 253
  1885. minLength: 1
  1886. pattern: ^[-._a-zA-Z0-9]+$
  1887. type: string
  1888. name:
  1889. description: The name of the Secret resource being
  1890. referred to.
  1891. maxLength: 253
  1892. minLength: 1
  1893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1894. type: string
  1895. namespace:
  1896. description: |-
  1897. The namespace of the Secret resource being referred to.
  1898. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1899. maxLength: 63
  1900. minLength: 1
  1901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1902. type: string
  1903. type: object
  1904. keySecretRef:
  1905. description: |-
  1906. KeySecretRef to a key in a Secret resource containing client private key
  1907. added to the transport layer when communicating with the Vault server.
  1908. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  1909. properties:
  1910. key:
  1911. description: |-
  1912. A key in the referenced Secret.
  1913. Some instances of this field may be defaulted, in others it may be required.
  1914. maxLength: 253
  1915. minLength: 1
  1916. pattern: ^[-._a-zA-Z0-9]+$
  1917. type: string
  1918. name:
  1919. description: The name of the Secret resource being
  1920. referred to.
  1921. maxLength: 253
  1922. minLength: 1
  1923. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1924. type: string
  1925. namespace:
  1926. description: |-
  1927. The namespace of the Secret resource being referred to.
  1928. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1929. maxLength: 63
  1930. minLength: 1
  1931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1932. type: string
  1933. type: object
  1934. type: object
  1935. version:
  1936. default: v2
  1937. description: |-
  1938. Version is the Vault KV secret engine version. This can be either "v1" or
  1939. "v2". Version defaults to "v2".
  1940. enum:
  1941. - v1
  1942. - v2
  1943. type: string
  1944. required:
  1945. - server
  1946. type: object
  1947. resultType:
  1948. default: Data
  1949. description: |-
  1950. Result type defines which data is returned from the generator.
  1951. By default it is the "data" section of the Vault API response.
  1952. When using e.g. /auth/token/create the "data" section is empty but
  1953. the "auth" section contains the generated token.
  1954. Please refer to the vault docs regarding the result data structure.
  1955. Additionally, accessing the raw response is possibly by using "Raw" result type.
  1956. enum:
  1957. - Data
  1958. - Auth
  1959. - Raw
  1960. type: string
  1961. retrySettings:
  1962. description: Used to configure http retries if failed
  1963. properties:
  1964. maxRetries:
  1965. format: int32
  1966. type: integer
  1967. retryInterval:
  1968. type: string
  1969. type: object
  1970. required:
  1971. - path
  1972. - provider
  1973. type: object
  1974. webhookSpec:
  1975. description: WebhookSpec controls the behavior of the external
  1976. generator. Any body parameters should be passed to the server
  1977. through the parameters field.
  1978. properties:
  1979. auth:
  1980. description: Auth specifies a authorization protocol. Only
  1981. one protocol may be set.
  1982. maxProperties: 1
  1983. minProperties: 1
  1984. properties:
  1985. ntlm:
  1986. description: NTLMProtocol configures the store to use
  1987. NTLM for auth
  1988. properties:
  1989. passwordSecret:
  1990. description: |-
  1991. A reference to a specific 'key' within a Secret resource.
  1992. In some instances, `key` is a required field.
  1993. properties:
  1994. key:
  1995. description: |-
  1996. A key in the referenced Secret.
  1997. Some instances of this field may be defaulted, in others it may be required.
  1998. maxLength: 253
  1999. minLength: 1
  2000. pattern: ^[-._a-zA-Z0-9]+$
  2001. type: string
  2002. name:
  2003. description: The name of the Secret resource being
  2004. referred to.
  2005. maxLength: 253
  2006. minLength: 1
  2007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2008. type: string
  2009. namespace:
  2010. description: |-
  2011. The namespace of the Secret resource being referred to.
  2012. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2013. maxLength: 63
  2014. minLength: 1
  2015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2016. type: string
  2017. type: object
  2018. usernameSecret:
  2019. description: |-
  2020. A reference to a specific 'key' within a Secret resource.
  2021. In some instances, `key` is a required field.
  2022. properties:
  2023. key:
  2024. description: |-
  2025. A key in the referenced Secret.
  2026. Some instances of this field may be defaulted, in others it may be required.
  2027. maxLength: 253
  2028. minLength: 1
  2029. pattern: ^[-._a-zA-Z0-9]+$
  2030. type: string
  2031. name:
  2032. description: The name of the Secret resource being
  2033. referred to.
  2034. maxLength: 253
  2035. minLength: 1
  2036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2037. type: string
  2038. namespace:
  2039. description: |-
  2040. The namespace of the Secret resource being referred to.
  2041. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2042. maxLength: 63
  2043. minLength: 1
  2044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2045. type: string
  2046. type: object
  2047. required:
  2048. - passwordSecret
  2049. - usernameSecret
  2050. type: object
  2051. type: object
  2052. body:
  2053. description: Body
  2054. type: string
  2055. caBundle:
  2056. description: |-
  2057. PEM encoded CA bundle used to validate webhook server certificate. Only used
  2058. if the Server URL is using HTTPS protocol. This parameter is ignored for
  2059. plain HTTP protocol connection. If not set the system root certificates
  2060. are used to validate the TLS connection.
  2061. format: byte
  2062. type: string
  2063. caProvider:
  2064. description: The provider for the CA bundle to use to validate
  2065. webhook server certificate.
  2066. properties:
  2067. key:
  2068. description: The key where the CA certificate can be found
  2069. in the Secret or ConfigMap.
  2070. maxLength: 253
  2071. minLength: 1
  2072. pattern: ^[-._a-zA-Z0-9]+$
  2073. type: string
  2074. name:
  2075. description: The name of the object located at the provider
  2076. type.
  2077. maxLength: 253
  2078. minLength: 1
  2079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2080. type: string
  2081. namespace:
  2082. description: The namespace the Provider type is in.
  2083. maxLength: 63
  2084. minLength: 1
  2085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2086. type: string
  2087. type:
  2088. description: The type of provider to use such as "Secret",
  2089. or "ConfigMap".
  2090. enum:
  2091. - Secret
  2092. - ConfigMap
  2093. type: string
  2094. required:
  2095. - name
  2096. - type
  2097. type: object
  2098. headers:
  2099. additionalProperties:
  2100. type: string
  2101. description: Headers
  2102. type: object
  2103. method:
  2104. description: Webhook Method
  2105. type: string
  2106. result:
  2107. description: Result formatting
  2108. properties:
  2109. jsonPath:
  2110. description: Json path of return value
  2111. type: string
  2112. type: object
  2113. secrets:
  2114. description: |-
  2115. Secrets to fill in templates
  2116. These secrets will be passed to the templating function as key value pairs under the given name
  2117. items:
  2118. properties:
  2119. name:
  2120. description: Name of this secret in templates
  2121. type: string
  2122. secretRef:
  2123. description: Secret ref to fill in credentials
  2124. properties:
  2125. key:
  2126. description: The key where the token is found.
  2127. maxLength: 253
  2128. minLength: 1
  2129. pattern: ^[-._a-zA-Z0-9]+$
  2130. type: string
  2131. name:
  2132. description: The name of the Secret resource being
  2133. referred to.
  2134. maxLength: 253
  2135. minLength: 1
  2136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2137. type: string
  2138. type: object
  2139. required:
  2140. - name
  2141. - secretRef
  2142. type: object
  2143. type: array
  2144. timeout:
  2145. description: Timeout
  2146. type: string
  2147. url:
  2148. description: Webhook url to call
  2149. type: string
  2150. required:
  2151. - result
  2152. - url
  2153. type: object
  2154. type: object
  2155. kind:
  2156. description: Kind the kind of this generator.
  2157. enum:
  2158. - ACRAccessToken
  2159. - CloudsmithAccessToken
  2160. - ECRAuthorizationToken
  2161. - Fake
  2162. - GCRAccessToken
  2163. - GithubAccessToken
  2164. - QuayAccessToken
  2165. - Password
  2166. - SSHKey
  2167. - STSSessionToken
  2168. - UUID
  2169. - VaultDynamicSecret
  2170. - Webhook
  2171. - Grafana
  2172. type: string
  2173. required:
  2174. - generator
  2175. - kind
  2176. type: object
  2177. type: object
  2178. served: true
  2179. storage: true
  2180. subresources:
  2181. status: {}