external-secrets.io_pushsecrets.yaml 33 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: pushsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: PushSecret
  15. listKind: PushSecretList
  16. plural: pushsecrets
  17. shortNames:
  18. - ps
  19. singular: pushsecret
  20. scope: Namespaced
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .metadata.creationTimestamp
  24. name: AGE
  25. type: date
  26. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  27. name: Status
  28. type: string
  29. - jsonPath: .status.refreshTime
  30. name: Last Sync
  31. type: date
  32. name: v1alpha1
  33. schema:
  34. openAPIV3Schema:
  35. description: PushSecret is the Schema for the PushSecrets API that enables
  36. pushing Kubernetes secrets to external secret providers.
  37. properties:
  38. apiVersion:
  39. description: |-
  40. APIVersion defines the versioned schema of this representation of an object.
  41. Servers should convert recognized schemas to the latest internal value, and
  42. may reject unrecognized values.
  43. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  44. type: string
  45. kind:
  46. description: |-
  47. Kind is a string value representing the REST resource this object represents.
  48. Servers may infer this from the endpoint the client submits requests to.
  49. Cannot be updated.
  50. In CamelCase.
  51. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  52. type: string
  53. metadata:
  54. type: object
  55. spec:
  56. description: PushSecretSpec configures the behavior of the PushSecret.
  57. properties:
  58. data:
  59. description: Secret Data that should be pushed to providers
  60. items:
  61. description: PushSecretData defines data to be pushed to the provider
  62. and associated metadata.
  63. properties:
  64. conversionStrategy:
  65. default: None
  66. description: Used to define a conversion Strategy for the secret
  67. keys
  68. enum:
  69. - None
  70. - ReverseUnicode
  71. type: string
  72. match:
  73. description: Match a given Secret Key to be pushed to the provider.
  74. properties:
  75. remoteRef:
  76. description: Remote Refs to push to providers.
  77. properties:
  78. property:
  79. description: Name of the property in the resulting secret
  80. type: string
  81. remoteKey:
  82. description: Name of the resulting provider secret.
  83. type: string
  84. required:
  85. - remoteKey
  86. type: object
  87. secretKey:
  88. description: Secret Key to be pushed
  89. type: string
  90. required:
  91. - remoteRef
  92. type: object
  93. metadata:
  94. description: |-
  95. Metadata is metadata attached to the secret.
  96. The structure of metadata is provider specific, please look it up in the provider documentation.
  97. x-kubernetes-preserve-unknown-fields: true
  98. required:
  99. - match
  100. type: object
  101. type: array
  102. dataTo:
  103. description: DataTo defines bulk push rules that expand source Secret
  104. keys into provider entries.
  105. items:
  106. description: PushSecretDataTo defines how to bulk-push secrets to
  107. providers without explicit per-key mappings.
  108. properties:
  109. conversionStrategy:
  110. default: None
  111. description: Used to define a conversion Strategy for the secret
  112. keys
  113. enum:
  114. - None
  115. - ReverseUnicode
  116. type: string
  117. match:
  118. description: |-
  119. Match pattern for selecting keys from the source Secret.
  120. If not specified, all keys are selected.
  121. properties:
  122. regexp:
  123. description: |-
  124. Regexp matches keys by regular expression.
  125. If not specified, all keys are matched.
  126. type: string
  127. type: object
  128. metadata:
  129. description: |-
  130. Metadata is metadata attached to the secret.
  131. The structure of metadata is provider specific, please look it up in the provider documentation.
  132. x-kubernetes-preserve-unknown-fields: true
  133. remoteKey:
  134. description: |-
  135. RemoteKey is the name of the single provider secret that will receive ALL
  136. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  137. When set, per-key expansion is skipped and a single push is performed.
  138. The provider's store prefix (if any) is still prepended to this value.
  139. When not set, each matched key is pushed as its own individual provider secret.
  140. type: string
  141. rewrite:
  142. description: |-
  143. Rewrite operations to transform keys before pushing to the provider.
  144. Operations are applied sequentially.
  145. items:
  146. description: PushSecretRewrite defines how to transform secret
  147. keys before pushing.
  148. properties:
  149. regexp:
  150. description: Used to rewrite with regular expressions.
  151. properties:
  152. source:
  153. description: Used to define the regular expression
  154. of a re.Compiler.
  155. type: string
  156. target:
  157. description: Used to define the target pattern of
  158. a ReplaceAll operation.
  159. type: string
  160. required:
  161. - source
  162. - target
  163. type: object
  164. transform:
  165. description: Used to apply string transformation on the
  166. secrets.
  167. properties:
  168. template:
  169. description: |-
  170. Used to define the template to apply on the secret name.
  171. `.value ` will specify the secret name in the template.
  172. type: string
  173. required:
  174. - template
  175. type: object
  176. type: object
  177. x-kubernetes-validations:
  178. - message: exactly one of regexp or transform must be set
  179. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp)
  180. && has(self.transform))
  181. type: array
  182. storeRef:
  183. description: StoreRef specifies which SecretStore to push to.
  184. Required.
  185. properties:
  186. apiVersion:
  187. description: |-
  188. APIVersion of the referenced store resource.
  189. This field is optional and depends on the selected store kind.
  190. type: string
  191. kind:
  192. description: Kind of the SecretStore resource (SecretStore,
  193. ClusterSecretStore, ProviderStore, or ClusterProviderStore)
  194. enum:
  195. - SecretStore
  196. - ClusterSecretStore
  197. - ProviderStore
  198. - ClusterProviderStore
  199. type: string
  200. labelSelector:
  201. description: Optionally, sync to secret stores with label
  202. selector
  203. properties:
  204. matchExpressions:
  205. description: matchExpressions is a list of label selector
  206. requirements. The requirements are ANDed.
  207. items:
  208. description: |-
  209. A label selector requirement is a selector that contains values, a key, and an operator that
  210. relates the key and values.
  211. properties:
  212. key:
  213. description: key is the label key that the selector
  214. applies to.
  215. type: string
  216. operator:
  217. description: |-
  218. operator represents a key's relationship to a set of values.
  219. Valid operators are In, NotIn, Exists and DoesNotExist.
  220. type: string
  221. values:
  222. description: |-
  223. values is an array of string values. If the operator is In or NotIn,
  224. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  225. the values array must be empty. This array is replaced during a strategic
  226. merge patch.
  227. items:
  228. type: string
  229. type: array
  230. x-kubernetes-list-type: atomic
  231. required:
  232. - key
  233. - operator
  234. type: object
  235. type: array
  236. x-kubernetes-list-type: atomic
  237. matchLabels:
  238. additionalProperties:
  239. type: string
  240. description: |-
  241. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  242. map is equivalent to an element of matchExpressions, whose key field is "key", the
  243. operator is "In", and the values array contains only "value". The requirements are ANDed.
  244. type: object
  245. type: object
  246. x-kubernetes-map-type: atomic
  247. name:
  248. description: Optionally, sync to the SecretStore of the
  249. given name
  250. maxLength: 253
  251. minLength: 1
  252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  253. type: string
  254. type: object
  255. type: object
  256. x-kubernetes-validations:
  257. - message: storeRef must specify either name or labelSelector
  258. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  259. - message: 'remoteKey and rewrite are mutually exclusive: rewrite
  260. is only supported in per-key mode (without remoteKey)'
  261. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite)
  262. == 0'
  263. type: array
  264. deletionPolicy:
  265. default: None
  266. description: Deletion Policy to handle Secrets in the provider.
  267. enum:
  268. - Delete
  269. - None
  270. type: string
  271. refreshInterval:
  272. default: 1h0m0s
  273. description: The Interval to which External Secrets will try to push
  274. a secret definition
  275. type: string
  276. secretStoreRefs:
  277. items:
  278. description: PushSecretStoreRef contains a reference on how to sync
  279. to a SecretStore.
  280. properties:
  281. apiVersion:
  282. description: |-
  283. APIVersion of the referenced store resource.
  284. This field is optional and depends on the selected store kind.
  285. type: string
  286. kind:
  287. description: Kind of the SecretStore resource (SecretStore,
  288. ClusterSecretStore, ProviderStore, or ClusterProviderStore)
  289. enum:
  290. - SecretStore
  291. - ClusterSecretStore
  292. - ProviderStore
  293. - ClusterProviderStore
  294. type: string
  295. labelSelector:
  296. description: Optionally, sync to secret stores with label selector
  297. properties:
  298. matchExpressions:
  299. description: matchExpressions is a list of label selector
  300. requirements. The requirements are ANDed.
  301. items:
  302. description: |-
  303. A label selector requirement is a selector that contains values, a key, and an operator that
  304. relates the key and values.
  305. properties:
  306. key:
  307. description: key is the label key that the selector
  308. applies to.
  309. type: string
  310. operator:
  311. description: |-
  312. operator represents a key's relationship to a set of values.
  313. Valid operators are In, NotIn, Exists and DoesNotExist.
  314. type: string
  315. values:
  316. description: |-
  317. values is an array of string values. If the operator is In or NotIn,
  318. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  319. the values array must be empty. This array is replaced during a strategic
  320. merge patch.
  321. items:
  322. type: string
  323. type: array
  324. x-kubernetes-list-type: atomic
  325. required:
  326. - key
  327. - operator
  328. type: object
  329. type: array
  330. x-kubernetes-list-type: atomic
  331. matchLabels:
  332. additionalProperties:
  333. type: string
  334. description: |-
  335. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  336. map is equivalent to an element of matchExpressions, whose key field is "key", the
  337. operator is "In", and the values array contains only "value". The requirements are ANDed.
  338. type: object
  339. type: object
  340. x-kubernetes-map-type: atomic
  341. name:
  342. description: Optionally, sync to the SecretStore of the given
  343. name
  344. maxLength: 253
  345. minLength: 1
  346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  347. type: string
  348. type: object
  349. type: array
  350. selector:
  351. description: The Secret Selector (k8s source) for the Push Secret
  352. maxProperties: 1
  353. minProperties: 1
  354. properties:
  355. generatorRef:
  356. description: Point to a generator to create a Secret.
  357. properties:
  358. apiVersion:
  359. default: generators.external-secrets.io/v1alpha1
  360. description: Specify the apiVersion of the generator resource
  361. type: string
  362. kind:
  363. description: Specify the Kind of the generator resource
  364. enum:
  365. - ACRAccessToken
  366. - ClusterGenerator
  367. - CloudsmithAccessToken
  368. - ECRAuthorizationToken
  369. - Fake
  370. - GCRAccessToken
  371. - GithubAccessToken
  372. - QuayAccessToken
  373. - Password
  374. - SSHKey
  375. - STSSessionToken
  376. - UUID
  377. - VaultDynamicSecret
  378. - Webhook
  379. - Grafana
  380. - MFA
  381. type: string
  382. name:
  383. description: Specify the name of the generator resource
  384. maxLength: 253
  385. minLength: 1
  386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  387. type: string
  388. required:
  389. - kind
  390. - name
  391. type: object
  392. secret:
  393. description: Select a Secret to Push.
  394. properties:
  395. name:
  396. description: |-
  397. Name of the Secret.
  398. The Secret must exist in the same namespace as the PushSecret manifest.
  399. maxLength: 253
  400. minLength: 1
  401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  402. type: string
  403. selector:
  404. description: Selector chooses secrets using a labelSelector.
  405. properties:
  406. matchExpressions:
  407. description: matchExpressions is a list of label selector
  408. requirements. The requirements are ANDed.
  409. items:
  410. description: |-
  411. A label selector requirement is a selector that contains values, a key, and an operator that
  412. relates the key and values.
  413. properties:
  414. key:
  415. description: key is the label key that the selector
  416. applies to.
  417. type: string
  418. operator:
  419. description: |-
  420. operator represents a key's relationship to a set of values.
  421. Valid operators are In, NotIn, Exists and DoesNotExist.
  422. type: string
  423. values:
  424. description: |-
  425. values is an array of string values. If the operator is In or NotIn,
  426. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  427. the values array must be empty. This array is replaced during a strategic
  428. merge patch.
  429. items:
  430. type: string
  431. type: array
  432. x-kubernetes-list-type: atomic
  433. required:
  434. - key
  435. - operator
  436. type: object
  437. type: array
  438. x-kubernetes-list-type: atomic
  439. matchLabels:
  440. additionalProperties:
  441. type: string
  442. description: |-
  443. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  444. map is equivalent to an element of matchExpressions, whose key field is "key", the
  445. operator is "In", and the values array contains only "value". The requirements are ANDed.
  446. type: object
  447. type: object
  448. x-kubernetes-map-type: atomic
  449. type: object
  450. type: object
  451. template:
  452. description: Template defines a blueprint for the created Secret resource.
  453. properties:
  454. data:
  455. additionalProperties:
  456. type: string
  457. type: object
  458. engineVersion:
  459. default: v2
  460. description: |-
  461. EngineVersion specifies the template engine version
  462. that should be used to compile/execute the
  463. template specified in .data and .templateFrom[].
  464. enum:
  465. - v2
  466. type: string
  467. mergePolicy:
  468. default: Replace
  469. description: TemplateMergePolicy defines how the rendered template
  470. should be merged with the existing Secret data.
  471. enum:
  472. - Replace
  473. - Merge
  474. type: string
  475. metadata:
  476. description: ExternalSecretTemplateMetadata defines metadata fields
  477. for the Secret blueprint.
  478. properties:
  479. annotations:
  480. additionalProperties:
  481. type: string
  482. type: object
  483. finalizers:
  484. items:
  485. type: string
  486. type: array
  487. labels:
  488. additionalProperties:
  489. type: string
  490. type: object
  491. type: object
  492. templateFrom:
  493. items:
  494. description: |-
  495. TemplateFrom specifies a source for templates.
  496. Each item in the list can either reference a ConfigMap or a Secret resource.
  497. properties:
  498. configMap:
  499. description: TemplateRef specifies a reference to either
  500. a ConfigMap or a Secret resource.
  501. properties:
  502. items:
  503. description: A list of keys in the ConfigMap/Secret
  504. to use as templates for Secret data
  505. items:
  506. description: TemplateRefItem specifies a key in the
  507. ConfigMap/Secret to use as a template for Secret
  508. data.
  509. properties:
  510. key:
  511. description: A key in the ConfigMap/Secret
  512. maxLength: 253
  513. minLength: 1
  514. pattern: ^[-._a-zA-Z0-9]+$
  515. type: string
  516. templateAs:
  517. default: Values
  518. description: TemplateScope specifies how the template
  519. keys should be interpreted.
  520. enum:
  521. - Values
  522. - KeysAndValues
  523. type: string
  524. required:
  525. - key
  526. type: object
  527. type: array
  528. name:
  529. description: The name of the ConfigMap/Secret resource
  530. maxLength: 253
  531. minLength: 1
  532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  533. type: string
  534. required:
  535. - items
  536. - name
  537. type: object
  538. literal:
  539. type: string
  540. secret:
  541. description: TemplateRef specifies a reference to either
  542. a ConfigMap or a Secret resource.
  543. properties:
  544. items:
  545. description: A list of keys in the ConfigMap/Secret
  546. to use as templates for Secret data
  547. items:
  548. description: TemplateRefItem specifies a key in the
  549. ConfigMap/Secret to use as a template for Secret
  550. data.
  551. properties:
  552. key:
  553. description: A key in the ConfigMap/Secret
  554. maxLength: 253
  555. minLength: 1
  556. pattern: ^[-._a-zA-Z0-9]+$
  557. type: string
  558. templateAs:
  559. default: Values
  560. description: TemplateScope specifies how the template
  561. keys should be interpreted.
  562. enum:
  563. - Values
  564. - KeysAndValues
  565. type: string
  566. required:
  567. - key
  568. type: object
  569. type: array
  570. name:
  571. description: The name of the ConfigMap/Secret resource
  572. maxLength: 253
  573. minLength: 1
  574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  575. type: string
  576. required:
  577. - items
  578. - name
  579. type: object
  580. target:
  581. default: Data
  582. description: |-
  583. Target specifies where to place the template result.
  584. For Secret resources, common values are: "Data", "Annotations", "Labels".
  585. For custom resources (when spec.target.manifest is set), this supports
  586. nested paths like "spec.database.config" or "data".
  587. type: string
  588. type: object
  589. type: array
  590. type:
  591. type: string
  592. type: object
  593. updatePolicy:
  594. default: Replace
  595. description: UpdatePolicy to handle Secrets in the provider.
  596. enum:
  597. - Replace
  598. - IfNotExists
  599. type: string
  600. required:
  601. - secretStoreRefs
  602. - selector
  603. type: object
  604. status:
  605. description: PushSecretStatus indicates the history of the status of PushSecret.
  606. properties:
  607. conditions:
  608. items:
  609. description: PushSecretStatusCondition indicates the status of the
  610. PushSecret.
  611. properties:
  612. lastTransitionTime:
  613. format: date-time
  614. type: string
  615. message:
  616. type: string
  617. reason:
  618. type: string
  619. status:
  620. type: string
  621. type:
  622. description: PushSecretConditionType indicates the condition
  623. of the PushSecret.
  624. type: string
  625. required:
  626. - status
  627. - type
  628. type: object
  629. type: array
  630. refreshTime:
  631. description: |-
  632. refreshTime is the time and date the external secret was fetched and
  633. the target secret updated
  634. format: date-time
  635. nullable: true
  636. type: string
  637. syncedPushSecrets:
  638. additionalProperties:
  639. additionalProperties:
  640. description: PushSecretData defines data to be pushed to the provider
  641. and associated metadata.
  642. properties:
  643. conversionStrategy:
  644. default: None
  645. description: Used to define a conversion Strategy for the
  646. secret keys
  647. enum:
  648. - None
  649. - ReverseUnicode
  650. type: string
  651. match:
  652. description: Match a given Secret Key to be pushed to the
  653. provider.
  654. properties:
  655. remoteRef:
  656. description: Remote Refs to push to providers.
  657. properties:
  658. property:
  659. description: Name of the property in the resulting
  660. secret
  661. type: string
  662. remoteKey:
  663. description: Name of the resulting provider secret.
  664. type: string
  665. required:
  666. - remoteKey
  667. type: object
  668. secretKey:
  669. description: Secret Key to be pushed
  670. type: string
  671. required:
  672. - remoteRef
  673. type: object
  674. metadata:
  675. description: |-
  676. Metadata is metadata attached to the secret.
  677. The structure of metadata is provider specific, please look it up in the provider documentation.
  678. x-kubernetes-preserve-unknown-fields: true
  679. required:
  680. - match
  681. type: object
  682. type: object
  683. description: |-
  684. Synced PushSecrets, including secrets that already exist in provider.
  685. Matches secret stores to PushSecretData that was stored to that secret store.
  686. type: object
  687. syncedResourceVersion:
  688. description: SyncedResourceVersion keeps track of the last synced
  689. version.
  690. type: string
  691. type: object
  692. type: object
  693. served: true
  694. storage: true
  695. subresources:
  696. status: {}