From ce15ed5779815b89391c9da47f6d1421b64acdeb Mon Sep 17 00:00:00 2001 From: Willi Carlsen Date: Thu, 11 Jun 2026 08:07:47 +0200 Subject: [PATCH] Fix bug where CustomResourceDefinitions where generated too as part of manifests Signed-off-by: Willi Carlsen --- apps/external-secrets/Makefile | 3 +- ...ccesstokens.generators.external-secrets.io | 210 - ...ccesstokens.generators.external-secrets.io | 94 - ...clusterexternalsecrets.external-secrets.io | 1540 --- ...rgenerators.generators.external-secrets.io | 2102 ---- ...ion-clusterpushsecrets.external-secrets.io | 540 - ...on-clustersecretstores.external-secrets.io | 9494 ----------------- ...ationtokens.generators.external-secrets.io | 196 - ...nition-externalsecrets.external-secrets.io | 1306 --- ...ition-fakes.generators.external-secrets.io | 67 - ...ccesstokens.generators.external-secrets.io | 250 - ...ratorstates.generators.external-secrets.io | 109 - ...ccesstokens.generators.external-secrets.io | 116 - ...on-grafanas.generators.external-secrets.io | 134 - ...nition-mfas.generators.external-secrets.io | 94 - ...n-passwords.generators.external-secrets.io | 106 - ...Definition-pushsecrets.external-secrets.io | 497 - ...ccesstokens.generators.external-secrets.io | 90 - ...efinition-secretstores.external-secrets.io | 9494 ----------------- ...ion-sshkeys.generators.external-secrets.io | 71 - ...ssiontokens.generators.external-secrets.io | 207 - ...ition-uuids.generators.external-secrets.io | 52 - ...amicsecrets.generators.external-secrets.io | 875 -- ...on-webhooks.generators.external-secrets.io | 223 - 24 files changed, 2 insertions(+), 27868 deletions(-) delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-acraccesstokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-cloudsmithaccesstokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-clusterexternalsecrets.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-clustergenerators.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-clusterpushsecrets.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-clustersecretstores.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-ecrauthorizationtokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-externalsecrets.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-fakes.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-gcraccesstokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-generatorstates.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-githubaccesstokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-grafanas.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-mfas.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-passwords.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-pushsecrets.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-quayaccesstokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-secretstores.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-sshkeys.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-stssessiontokens.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-uuids.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-vaultdynamicsecrets.generators.external-secrets.io delete mode 100644 apps/external-secrets/manifests/CustomResourceDefinition-webhooks.generators.external-secrets.io diff --git a/apps/external-secrets/Makefile b/apps/external-secrets/Makefile index bd088009..be80a5a1 100644 --- a/apps/external-secrets/Makefile +++ b/apps/external-secrets/Makefile @@ -24,5 +24,6 @@ manifests: $(release) $(source) mkdir -p manifests rm -rf manifests/* helm template $(name) $(chart) --repo $(url) --version $(version) --namespace $(namespace) --skip-crds -f <(echo "$$($(values))") | grep -vE "helm.sh/chart|app.kubernetes.io/version" | yq -s '"manifests/" + .kind + "-" + .metadata.name' + rm -rf manifests/CustomResourceDefinition-* -.PHONY: all manifests \ No newline at end of file +.PHONY: all manifests diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-acraccesstokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-acraccesstokens.generators.external-secrets.io deleted file mode 100644 index f7c018d4..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-acraccesstokens.generators.external-secrets.io +++ /dev/null @@ -1,210 +0,0 @@ ---- -# Source: external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns an Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - description: ACRAuth defines the authentication methods for Azure Container Registry. - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication. - It uses static credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-cloudsmithaccesstokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-cloudsmithaccesstokens.generators.external-secrets.io deleted file mode 100644 index c30fbd6c..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-cloudsmithaccesstokens.generators.external-secrets.io +++ /dev/null @@ -1,94 +0,0 @@ ---- -# Source: external-secrets/templates/crds/cloudsmithaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: cloudsmithaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: CloudsmithAccessToken - listKind: CloudsmithAccessTokenList - plural: cloudsmithaccesstokens - singular: cloudsmithaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication. - properties: - apiUrl: - description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io. - type: string - orgSlug: - description: OrgSlug is the organization slug in Cloudsmith - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceSlug: - description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication - type: string - required: - - orgSlug - - serviceAccountRef - - serviceSlug - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-clusterexternalsecrets.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-clusterexternalsecrets.external-secrets.io deleted file mode 100644 index ce7a2b01..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-clusterexternalsecrets.external-secrets.io +++ /dev/null @@ -1,1540 +0,0 @@ ---- -# Source: external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: |- - The name of the external secrets to be created. - Defaults to the name of the ClusterExternalSecret - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: |- - ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data - when using DataFrom to fetch multiple values from a Provider. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret. - maxProperties: 1 - minProperties: 1 - properties: - merge: - description: |- - Used to merge key/values in one single Secret - The resulting key will contain all values from the specified secrets - properties: - conflictPolicy: - default: Error - description: Used to define the policy to use in conflict resolution. - enum: - - Ignore - - Error - type: string - into: - default: "" - description: |- - Used to define the target key of the merge operation. - Required if strategy is JSON. Ignored otherwise. - type: string - priority: - description: Used to define key priority in conflict resolution. - items: - type: string - type: array - priorityPolicy: - default: Strict - description: Used to define the policy when a key in the priority list does not exist in the input. - enum: - - IgnoreNotFound - - Strict - type: string - strategy: - default: Extract - description: Used to define the strategy to use in the merge operation. - enum: - - Extract - - JSON - type: string - type: object - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created, - there can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget specifies where the rendered templates should be applied. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: |- - Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - Deprecated: Use NamespaceSelectors instead. - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource. - properties: - message: - type: string - status: - type: string - type: - description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions. - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: |- - The name of the external secrets to be created. - Defaults to the name of the ClusterExternalSecret - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines rules on how to rewrite secret keys. - maxProperties: 1 - minProperties: 1 - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how template values should be merged when generating a secret. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: TemplateFrom defines a source for template data. - properties: - configMap: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget defines the target field where the template result will be stored. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: |- - Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - Deprecated: Use NamespaceSelectors instead. - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret. - properties: - message: - type: string - status: - type: string - type: - description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret. - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: false - storage: false - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-clustergenerators.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-clustergenerators.generators.external-secrets.io deleted file mode 100644 index 3fbd4d39..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-clustergenerators.generators.external-secrets.io +++ /dev/null @@ -1,2102 +0,0 @@ ---- -# Source: external-secrets/templates/crds/clustergenerator.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clustergenerators.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: ClusterGenerator - listKind: ClusterGeneratorList - plural: clustergenerators - singular: clustergenerator - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator. - properties: - generator: - description: Generator the spec for this generator, must match the kind. - maxProperties: 1 - minProperties: 1 - properties: - acrAccessTokenSpec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - description: ACRAuth defines the authentication methods for Azure Container Registry. - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication. - It uses static credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - cloudsmithAccessTokenSpec: - description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication. - properties: - apiUrl: - description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io. - type: string - orgSlug: - description: OrgSlug is the organization slug in Cloudsmith - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceSlug: - description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication - type: string - required: - - orgSlug - - serviceAccountRef - - serviceSlug - type: object - ecrAuthorizationTokenSpec: - description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - scope: - description: |- - Scope specifies the ECR service scope. - Valid options are private and public. - type: string - required: - - region - type: object - fakeSpec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - gcrAccessTokenSpec: - description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token. - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - githubAccessTokenSpec: - description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token. - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - description: GithubSecretRef references a secret containing GitHub credentials. - properties: - secretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - permissions: - additionalProperties: - type: string - description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has. - type: object - repositories: - description: |- - List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App - is installed to. - items: - type: string - type: array - url: - description: URL configures the GitHub instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - grafanaSpec: - description: GrafanaSpec controls the behavior of the grafana generator. - properties: - auth: - description: |- - Auth is the authentication configuration to authenticate - against the Grafana instance. - properties: - basic: - description: |- - Basic auth credentials used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - password: - description: A basic auth password used to authenticate against the Grafana instance. - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - username: - description: A basic auth username used to authenticate against the Grafana instance. - type: string - required: - - password - - username - type: object - token: - description: |- - A service account token used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - serviceAccount: - description: |- - ServiceAccount is the configuration for the service account that - is supposed to be generated by the generator. - properties: - name: - description: Name is the name of the service account that will be created by ESO. - type: string - role: - description: |- - Role is the role of the service account. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - type: string - required: - - name - - role - type: object - url: - description: URL is the URL of the Grafana instance. - type: string - required: - - auth - - serviceAccount - - url - type: object - mfaSpec: - description: MFASpec controls the behavior of the mfa generator. - properties: - algorithm: - description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC. - type: string - length: - description: Length defines the token length. Defaults to 6 characters. - type: integer - secret: - description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - timePeriod: - description: TimePeriod defines how long the token can be active. Defaults to 30 seconds. - type: integer - when: - description: When defines a time parameter that can be used to pin the origin time of the generated token. - format: date-time - type: string - required: - - secret - type: object - passwordSpec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - encoding: - default: raw - description: |- - Encoding specifies the encoding of the generated password. - Valid values are: - - "raw" (default): no encoding - - "base64": standard base64 encoding - - "base64url": base64url encoding - - "base32": base32 encoding - - "hex": hexadecimal encoding - enum: - - base64 - - base64url - - base32 - - hex - - raw - type: string - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - quayAccessTokenSpec: - description: QuayAccessTokenSpec defines the desired state to generate a Quay access token. - properties: - robotAccount: - description: Name of the robot account you are federating with - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - url: - description: URL configures the Quay instance URL. Defaults to quay.io. - type: string - required: - - robotAccount - - serviceAccountRef - type: object - sshKeySpec: - description: SSHKeySpec controls the behavior of the ssh key generator. - properties: - comment: - description: Comment specifies an optional comment for the SSH key - type: string - keySize: - description: |- - KeySize specifies the key size for RSA keys (default: 2048) - For RSA keys: 2048, 3072, 4096 - Ignored for ed25519 keys - maximum: 8192 - minimum: 256 - type: integer - keyType: - default: rsa - description: KeyType specifies the SSH key type (rsa, ed25519) - enum: - - rsa - - ed25519 - type: string - type: object - stsSessionTokenSpec: - description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - requestParameters: - description: RequestParameters contains parameters that can be passed to the STS service. - properties: - serialNumber: - description: |- - SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making - the GetSessionToken call. - Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device - (such as arn:aws:iam::123456789012:mfa/user) - type: string - sessionDuration: - format: int32 - type: integer - tokenCode: - description: TokenCode is the value provided by the MFA device, if MFA is required. - type: string - type: object - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - uuidSpec: - description: UUIDSpec controls the behavior of the uuid generator. - type: object - vaultDynamicSecretSpec: - description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret. - properties: - allowEmptyResponse: - default: false - description: Do not fail if no secrets are found. Useful for requests where no data is expected. - type: boolean - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default, it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - Additionally, accessing the raw response is possibly by using "Raw" result type. - enum: - - Data - - Auth - - Raw - type: string - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - path - - provider - type: object - webhookSpec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret reference that will be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - kind: - description: Kind the kind of this generator. - enum: - - ACRAccessToken - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - required: - - generator - - kind - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-clusterpushsecrets.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-clusterpushsecrets.external-secrets.io deleted file mode 100644 index a8e5d4b3..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-clusterpushsecrets.external-secrets.io +++ /dev/null @@ -1,540 +0,0 @@ ---- -# Source: external-secrets/templates/crds/clusterpushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clusterpushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ClusterPushSecret - listKind: ClusterPushSecretList - plural: clusterpushsecrets - singular: clusterpushsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource. - properties: - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - pushSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - pushSecretName: - description: |- - The name of the push secrets to be created. - Defaults to the name of the ClusterPushSecret - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - pushSecretSpec: - description: PushSecretSpec defines what to do with the secrets. - properties: - data: - description: Secret Data that should be pushed to providers - items: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: Deletion Policy to handle Secrets in the provider. - enum: - - Delete - - None - type: string - refreshInterval: - default: 1h - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - description: PushSecretStoreRef contains a reference on how to sync to a SecretStore. - properties: - kind: - default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - enum: - - SecretStore - - ClusterSecretStore - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: Point to a generator to create a Secret. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - secret: - description: Select a Secret to Push. - properties: - name: - description: |- - Name of the Secret. - The Secret must exist in the same namespace as the PushSecret manifest. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - selector: - description: Selector chooses secrets using a labelSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget specifies where the rendered templates should be applied. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: UpdatePolicy to handle Secrets in the provider. - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - pushSecretSpec - type: object - status: - description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an PushSecret - items: - description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an PushSecret - type: string - reason: - description: Reason is why the PushSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets - items: - type: string - type: array - pushSecretName: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-clustersecretstores.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-clustersecretstores.external-secrets.io deleted file mode 100644 index 9f44ade1..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-clustersecretstores.external-secrets.io +++ /dev/null @@ -1,9494 +0,0 @@ ---- -# Source: external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30-day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: |- - Tag is a key-value pair that can be attached to an AWS resource. - see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - customCloudConfig: - description: |- - CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints. - Required when EnvironmentType is AzureStackCloud. - IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud - configuration is not supported with the legacy go-autorest SDK. - properties: - activeDirectoryEndpoint: - description: |- - ActiveDirectoryEndpoint is the AAD endpoint for authentication - Required when using custom cloud configuration - type: string - keyVaultDNSSuffix: - description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs - type: string - keyVaultEndpoint: - description: KeyVaultEndpoint is the Key Vault service endpoint - type: string - resourceManagerEndpoint: - description: ResourceManagerEndpoint is the Azure Resource Manager endpoint - type: string - required: - - activeDirectoryEndpoint - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud - Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints. - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - useAzureSDK: - default: false - description: |- - UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK. - This is experimental and may have behavioral differences. Defaults to false (legacy SDK). - type: boolean - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef contains the secret reference for accessing the Device42 instance. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair with optional version for the fake provider. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - validationResult: - description: ValidationResult is defined type for the number of validation results. - type: integer - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - secretVersionSelectionPolicy: - default: LatestOrFail - description: |- - SecretVersionSelectionPolicy specifies how the provider selects a secret version - when "latest" is disabled or destroyed. - Possible values are: - - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed. - - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED - type: string - type: object - github: - description: |- - Github configures this store to push GitHub Action secrets using GitHub API provider. - Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef contains the secret reference for GitLab authentication credentials. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication. - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - awsAuthCredentials: - description: AwsAuthCredentials represents the credentials for AWS authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - azureAuthCredentials: - description: AzureAuthCredentials represents the credentials for Azure authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - resource: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - gcpIamAuthCredentials: - description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountKeyFilePath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - serviceAccountKeyFilePath - type: object - gcpIdTokenAuthCredentials: - description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - jwtAuthCredentials: - description: JwtAuthCredentials represents the credentials for JWT authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - jwt: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - jwt - type: object - kubernetesAuthCredentials: - description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountTokenPath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - ldapAuthCredentials: - description: LdapAuthCredentials represents the credentials for LDAP authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapPassword: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapUsername: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - ldapPassword - - ldapUsername - type: object - ociAuthCredentials: - description: OciAuthCredentials represents the credentials for OCI authentication. - properties: - fingerprint: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeyPassphrase: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - region: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenancyId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - identityId - - privateKey - - region - - tenancyId - - userId - type: object - tokenAuthCredentials: - description: TokenAuthCredentials represents the credentials for access token-based authentication. - properties: - accessToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - universalAuthCredentials: - description: UniversalAuthCredentials represents the client credentials for universal authentication. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - ngrok: - description: Ngrok configures this store to sync secrets using the ngrok provider. - properties: - apiUrl: - default: https://api.ngrok.com - description: APIURL is the URL of the ngrok API. - type: string - auth: - description: Auth configures how the ngrok provider authenticates with the ngrok API. - maxProperties: 1 - minProperties: 1 - properties: - apiKey: - description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication - properties: - secretRef: - description: SecretRef is a reference to a secret containing the ngrok API key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - vault: - description: Vault configures the ngrok vault to sync secrets with. - properties: - name: - description: Name is the name of the ngrok vault to sync secrets with. - type: string - required: - - name - type: object - required: - - auth - - vault - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - onepasswordSDK: - description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets. - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword API. - properties: - serviceAccountSecretRef: - description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - serviceAccountSecretRef - type: object - integrationInfo: - description: |- - IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK. - If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively. - properties: - name: - default: 1Password SDK - description: Name defaults to "1Password SDK". - type: string - version: - default: v1.0.0 - description: Version defaults to "v1.0.0". - type: string - type: object - vault: - description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically. - type: string - required: - - auth - - vault - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: |- - PassboltProvider provides access to Passbolt secrets manager. - See: https://www.passbolt.com. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - domain: - description: Domain is the secret server domain. - type: string - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - volcengine: - description: Volcengine configures this store to sync secrets using the Volcengine provider - properties: - auth: - description: |- - Auth defines the authentication method to use. - If not specified, the provider will try to use IRSA (IAM Role for Service Account). - properties: - secretRef: - description: |- - SecretRef defines the static credentials to use for authentication. - If not set, IRSA is used. - properties: - accessKeyID: - description: AccessKeyID is the reference to the secret containing the Access Key ID. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKey: - description: SecretAccessKey is the reference to the secret containing the Secret Access Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - token: - description: Token is the reference to the secret containing the STS(Security Token Service) Token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyID - - secretAccessKey - type: object - type: object - region: - description: Region specifies the Volcengine region to connect to. - type: string - required: - - region - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret that will be passed to the webhook request. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition contains condition information for a SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication). - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: Tag defines a tag key and value for AWS resources. - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair for the fake provider used in testing. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - github: - description: Github configures this store to push Github Action secrets using Github API provider - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider. - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: PassboltProvider defines configuration for the Passbolt provider. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: PasswordSecretRef is a reference to the secret containing the Passbolt password - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret to be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - description: MaxRetries is the maximum number of retry attempts. - format: int32 - type: integer - retryInterval: - description: RetryInterval is the interval between retry attempts. - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition defines the observed condition of the SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition type of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: false - storage: false - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-ecrauthorizationtokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-ecrauthorizationtokens.generators.external-secrets.io deleted file mode 100644 index bd1b2d05..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-ecrauthorizationtokens.generators.external-secrets.io +++ /dev/null @@ -1,196 +0,0 @@ ---- -# Source: external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - scope: - description: |- - Scope specifies the ECR service scope. - Valid options are private and public. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-externalsecrets.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-externalsecrets.external-secrets.io deleted file mode 100644 index 96aa4af0..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-externalsecrets.external-secrets.io +++ /dev/null @@ -1,1306 +0,0 @@ ---- -# Source: external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.kind - name: StoreType - type: string - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - ExternalSecret is the Schema for the external-secrets API. - It defines how to fetch data from external APIs and make it available as Kubernetes Secrets. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: |- - ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data - when using DataFrom to fetch multiple values from a Provider. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret. - maxProperties: 1 - minProperties: 1 - properties: - merge: - description: |- - Used to merge key/values in one single Secret - The resulting key will contain all values from the specified secrets - properties: - conflictPolicy: - default: Error - description: Used to define the policy to use in conflict resolution. - enum: - - Ignore - - Error - type: string - into: - default: "" - description: |- - Used to define the target key of the merge operation. - Required if strategy is JSON. Ignored otherwise. - type: string - priority: - description: Used to define key priority in conflict resolution. - items: - type: string - type: array - priorityPolicy: - default: Strict - description: Used to define the policy when a key in the priority list does not exist in the input. - enum: - - IgnoreNotFound - - Strict - type: string - strategy: - default: Extract - description: Used to define the strategy to use in the merge operation. - enum: - - Extract - - JSON - type: string - type: object - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created, - there can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget specifies where the rendered templates should be applied. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - description: ExternalSecretStatus defines the observed state of ExternalSecret. - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: ExternalSecretConditionType defines a value type for ExternalSecret conditions. - enum: - - Ready - - Deleted - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - selectableFields: - - jsonPath: .spec.secretStoreRef.name - - jsonPath: .spec.secretStoreRef.kind - - jsonPath: .spec.target.name - - jsonPath: .spec.refreshInterval - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.kind - name: StoreType - type: string - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines rules on how to rewrite secret keys. - maxProperties: 1 - minProperties: 1 - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how template values should be merged when generating a secret. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: TemplateFrom defines a source for template data. - properties: - configMap: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget defines the target field where the template result will be stored. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - description: ExternalSecretStatus defines the observed state of ExternalSecret. - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - description: ExternalSecretStatusCondition contains condition information for an ExternalSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: ExternalSecretConditionType defines the condition type for an ExternalSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: false - storage: false - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-fakes.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-fakes.generators.external-secrets.io deleted file mode 100644 index 1daab426..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-fakes.generators.external-secrets.io +++ /dev/null @@ -1,67 +0,0 @@ ---- -# Source: external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Fake - listKind: FakeList - plural: fakes - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-gcraccesstokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-gcraccesstokens.generators.external-secrets.io deleted file mode 100644 index 622a84e9..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-gcraccesstokens.generators.external-secrets.io +++ /dev/null @@ -1,250 +0,0 @@ ---- -# Source: external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token. - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-generatorstates.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-generatorstates.generators.external-secrets.io deleted file mode 100644 index c375df4e..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-generatorstates.generators.external-secrets.io +++ /dev/null @@ -1,109 +0,0 @@ ---- -# Source: external-secrets/templates/crds/generatorstate.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: generatorstates.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: GeneratorState - listKind: GeneratorStateList - plural: generatorstates - shortNames: - - gs - singular: generatorstate - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.garbageCollectionDeadline - name: GC Deadline - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: GeneratorState represents the state created and managed by a generator resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GeneratorStateSpec defines the desired state of a generator state resource. - properties: - garbageCollectionDeadline: - description: |- - GarbageCollectionDeadline is the time after which the generator state - will be deleted. - It is set by the controller which creates the generator state and - can be set configured by the user. - If the garbage collection deadline is not set the generator state will not be deleted. - format: date-time - type: string - resource: - description: |- - Resource is the generator manifest that produced the state. - It is a snapshot of the generator manifest at the time the state was produced. - This manifest will be used to delete the resource. Any configuration that is referenced - in the manifest should be available at the time of garbage collection. If that is not the case deletion will - be blocked by a finalizer. - x-kubernetes-preserve-unknown-fields: true - state: - description: State is the state that was produced by the generator implementation. - x-kubernetes-preserve-unknown-fields: true - required: - - resource - - state - type: object - status: - description: GeneratorStateStatus defines the observed state of a generator state resource. - properties: - conditions: - items: - description: GeneratorStateStatusCondition represents the observed condition of a generator state. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: GeneratorStateConditionType represents the type of condition for a generator state. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-githubaccesstokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-githubaccesstokens.generators.external-secrets.io deleted file mode 100644 index 1d0404f9..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-githubaccesstokens.generators.external-secrets.io +++ /dev/null @@ -1,116 +0,0 @@ ---- -# Source: external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token. - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - description: GithubSecretRef references a secret containing GitHub credentials. - properties: - secretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - permissions: - additionalProperties: - type: string - description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has. - type: object - repositories: - description: |- - List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App - is installed to. - items: - type: string - type: array - url: - description: URL configures the GitHub instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-grafanas.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-grafanas.generators.external-secrets.io deleted file mode 100644 index ec13f400..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-grafanas.generators.external-secrets.io +++ /dev/null @@ -1,134 +0,0 @@ ---- -# Source: external-secrets/templates/crds/grafana.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: grafanas.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Grafana - listKind: GrafanaList - plural: grafanas - singular: grafana - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Grafana represents a generator for Grafana service account tokens. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaSpec controls the behavior of the grafana generator. - properties: - auth: - description: |- - Auth is the authentication configuration to authenticate - against the Grafana instance. - properties: - basic: - description: |- - Basic auth credentials used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - password: - description: A basic auth password used to authenticate against the Grafana instance. - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - username: - description: A basic auth username used to authenticate against the Grafana instance. - type: string - required: - - password - - username - type: object - token: - description: |- - A service account token used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - serviceAccount: - description: |- - ServiceAccount is the configuration for the service account that - is supposed to be generated by the generator. - properties: - name: - description: Name is the name of the service account that will be created by ESO. - type: string - role: - description: |- - Role is the role of the service account. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - type: string - required: - - name - - role - type: object - url: - description: URL is the URL of the Grafana instance. - type: string - required: - - auth - - serviceAccount - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-mfas.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-mfas.generators.external-secrets.io deleted file mode 100644 index aba42006..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-mfas.generators.external-secrets.io +++ /dev/null @@ -1,94 +0,0 @@ ---- -# Source: external-secrets/templates/crds/mfa.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: mfas.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: MFA - listKind: MFAList - plural: mfas - singular: mfa - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: MFA generates a new TOTP token that is compliant with RFC 6238. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MFASpec controls the behavior of the mfa generator. - properties: - algorithm: - description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC. - type: string - length: - description: Length defines the token length. Defaults to 6 characters. - type: integer - secret: - description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - timePeriod: - description: TimePeriod defines how long the token can be active. Defaults to 30 seconds. - type: integer - when: - description: When defines a time parameter that can be used to pin the origin time of the generated token. - format: date-time - type: string - required: - - secret - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-passwords.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-passwords.generators.external-secrets.io deleted file mode 100644 index 2243acb0..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-passwords.generators.external-secrets.io +++ /dev/null @@ -1,106 +0,0 @@ ---- -# Source: external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Password - listKind: PasswordList - plural: passwords - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - encoding: - default: raw - description: |- - Encoding specifies the encoding of the generated password. - Valid values are: - - "raw" (default): no encoding - - "base64": standard base64 encoding - - "base64url": base64url encoding - - "base32": base32 encoding - - "hex": hexadecimal encoding - enum: - - base64 - - base64url - - base32 - - hex - - raw - type: string - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-pushsecrets.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-pushsecrets.external-secrets.io deleted file mode 100644 index 350b8a06..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-pushsecrets.external-secrets.io +++ /dev/null @@ -1,497 +0,0 @@ ---- -# Source: external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - shortNames: - - ps - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: Deletion Policy to handle Secrets in the provider. - enum: - - Delete - - None - type: string - refreshInterval: - default: 1h - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - description: PushSecretStoreRef contains a reference on how to sync to a SecretStore. - properties: - kind: - default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - enum: - - SecretStore - - ClusterSecretStore - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: Point to a generator to create a Secret. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - secret: - description: Select a Secret to Push. - properties: - name: - description: |- - Name of the Secret. - The Secret must exist in the same namespace as the PushSecret manifest. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - selector: - description: Selector chooses secrets using a labelSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget specifies where the rendered templates should be applied. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: UpdatePolicy to handle Secrets in the provider. - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-quayaccesstokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-quayaccesstokens.generators.external-secrets.io deleted file mode 100644 index eeee906b..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-quayaccesstokens.generators.external-secrets.io +++ /dev/null @@ -1,90 +0,0 @@ ---- -# Source: external-secrets/templates/crds/quayaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: quayaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: QuayAccessToken - listKind: QuayAccessTokenList - plural: quayaccesstokens - singular: quayaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: QuayAccessToken generates Quay oauth token for pulling/pushing images - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: QuayAccessTokenSpec defines the desired state to generate a Quay access token. - properties: - robotAccount: - description: Name of the robot account you are federating with - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - url: - description: URL configures the Quay instance URL. Defaults to quay.io. - type: string - required: - - robotAccount - - serviceAccountRef - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-secretstores.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-secretstores.external-secrets.io deleted file mode 100644 index fd505402..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-secretstores.external-secrets.io +++ /dev/null @@ -1,9494 +0,0 @@ ---- -# Source: external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30-day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: |- - Tag is a key-value pair that can be attached to an AWS resource. - see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - customCloudConfig: - description: |- - CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints. - Required when EnvironmentType is AzureStackCloud. - IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud - configuration is not supported with the legacy go-autorest SDK. - properties: - activeDirectoryEndpoint: - description: |- - ActiveDirectoryEndpoint is the AAD endpoint for authentication - Required when using custom cloud configuration - type: string - keyVaultDNSSuffix: - description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs - type: string - keyVaultEndpoint: - description: KeyVaultEndpoint is the Key Vault service endpoint - type: string - resourceManagerEndpoint: - description: ResourceManagerEndpoint is the Azure Resource Manager endpoint - type: string - required: - - activeDirectoryEndpoint - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud - Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints. - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - useAzureSDK: - default: false - description: |- - UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK. - This is experimental and may have behavioral differences. Defaults to false (legacy SDK). - type: boolean - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef contains the secret reference for accessing the Device42 instance. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair with optional version for the fake provider. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - validationResult: - description: ValidationResult is defined type for the number of validation results. - type: integer - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - secretVersionSelectionPolicy: - default: LatestOrFail - description: |- - SecretVersionSelectionPolicy specifies how the provider selects a secret version - when "latest" is disabled or destroyed. - Possible values are: - - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed. - - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED - type: string - type: object - github: - description: |- - Github configures this store to push GitHub Action secrets using GitHub API provider. - Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef contains the secret reference for GitLab authentication credentials. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication. - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - awsAuthCredentials: - description: AwsAuthCredentials represents the credentials for AWS authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - azureAuthCredentials: - description: AzureAuthCredentials represents the credentials for Azure authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - resource: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - gcpIamAuthCredentials: - description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountKeyFilePath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - serviceAccountKeyFilePath - type: object - gcpIdTokenAuthCredentials: - description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - jwtAuthCredentials: - description: JwtAuthCredentials represents the credentials for JWT authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - jwt: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - jwt - type: object - kubernetesAuthCredentials: - description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountTokenPath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - ldapAuthCredentials: - description: LdapAuthCredentials represents the credentials for LDAP authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapPassword: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapUsername: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - ldapPassword - - ldapUsername - type: object - ociAuthCredentials: - description: OciAuthCredentials represents the credentials for OCI authentication. - properties: - fingerprint: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeyPassphrase: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - region: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenancyId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - identityId - - privateKey - - region - - tenancyId - - userId - type: object - tokenAuthCredentials: - description: TokenAuthCredentials represents the credentials for access token-based authentication. - properties: - accessToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - universalAuthCredentials: - description: UniversalAuthCredentials represents the client credentials for universal authentication. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - ngrok: - description: Ngrok configures this store to sync secrets using the ngrok provider. - properties: - apiUrl: - default: https://api.ngrok.com - description: APIURL is the URL of the ngrok API. - type: string - auth: - description: Auth configures how the ngrok provider authenticates with the ngrok API. - maxProperties: 1 - minProperties: 1 - properties: - apiKey: - description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication - properties: - secretRef: - description: SecretRef is a reference to a secret containing the ngrok API key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - vault: - description: Vault configures the ngrok vault to sync secrets with. - properties: - name: - description: Name is the name of the ngrok vault to sync secrets with. - type: string - required: - - name - type: object - required: - - auth - - vault - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - onepasswordSDK: - description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets. - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword API. - properties: - serviceAccountSecretRef: - description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - serviceAccountSecretRef - type: object - integrationInfo: - description: |- - IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK. - If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively. - properties: - name: - default: 1Password SDK - description: Name defaults to "1Password SDK". - type: string - version: - default: v1.0.0 - description: Version defaults to "v1.0.0". - type: string - type: object - vault: - description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically. - type: string - required: - - auth - - vault - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: |- - PassboltProvider provides access to Passbolt secrets manager. - See: https://www.passbolt.com. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - domain: - description: Domain is the secret server domain. - type: string - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - volcengine: - description: Volcengine configures this store to sync secrets using the Volcengine provider - properties: - auth: - description: |- - Auth defines the authentication method to use. - If not specified, the provider will try to use IRSA (IAM Role for Service Account). - properties: - secretRef: - description: |- - SecretRef defines the static credentials to use for authentication. - If not set, IRSA is used. - properties: - accessKeyID: - description: AccessKeyID is the reference to the secret containing the Access Key ID. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKey: - description: SecretAccessKey is the reference to the secret containing the Secret Access Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - token: - description: Token is the reference to the secret containing the STS(Security Token Service) Token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyID - - secretAccessKey - type: object - type: object - region: - description: Region specifies the Volcengine region to connect to. - type: string - required: - - region - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret that will be passed to the webhook request. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition contains condition information for a SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication). - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: Tag defines a tag key and value for AWS resources. - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair for the fake provider used in testing. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - github: - description: Github configures this store to push Github Action secrets using Github API provider - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider. - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: PassboltProvider defines configuration for the Passbolt provider. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: PasswordSecretRef is a reference to the secret containing the Passbolt password - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret to be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - description: MaxRetries is the maximum number of retry attempts. - format: int32 - type: integer - retryInterval: - description: RetryInterval is the interval between retry attempts. - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition defines the observed condition of the SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition type of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: false - storage: false - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-sshkeys.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-sshkeys.generators.external-secrets.io deleted file mode 100644 index e7ef711d..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-sshkeys.generators.external-secrets.io +++ /dev/null @@ -1,71 +0,0 @@ ---- -# Source: external-secrets/templates/crds/sshkey.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: sshkeys.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: SSHKey - listKind: SSHKeyList - plural: sshkeys - singular: sshkey - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SSHKey generates SSH key pairs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SSHKeySpec controls the behavior of the ssh key generator. - properties: - comment: - description: Comment specifies an optional comment for the SSH key - type: string - keySize: - description: |- - KeySize specifies the key size for RSA keys (default: 2048) - For RSA keys: 2048, 3072, 4096 - Ignored for ed25519 keys - maximum: 8192 - minimum: 256 - type: integer - keyType: - default: rsa - description: KeyType specifies the SSH key type (rsa, ed25519) - enum: - - rsa - - ed25519 - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-stssessiontokens.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-stssessiontokens.generators.external-secrets.io deleted file mode 100644 index b5d9d061..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-stssessiontokens.generators.external-secrets.io +++ /dev/null @@ -1,207 +0,0 @@ ---- -# Source: external-secrets/templates/crds/stssessiontoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: stssessiontokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: STSSessionToken - listKind: STSSessionTokenList - plural: stssessiontokens - singular: stssessiontoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - STSSessionToken uses the GetSessionToken API to retrieve an authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded. - For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - requestParameters: - description: RequestParameters contains parameters that can be passed to the STS service. - properties: - serialNumber: - description: |- - SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making - the GetSessionToken call. - Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device - (such as arn:aws:iam::123456789012:mfa/user) - type: string - sessionDuration: - format: int32 - type: integer - tokenCode: - description: TokenCode is the value provided by the MFA device, if MFA is required. - type: string - type: object - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-uuids.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-uuids.generators.external-secrets.io deleted file mode 100644 index 39e1b572..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-uuids.generators.external-secrets.io +++ /dev/null @@ -1,52 +0,0 @@ ---- -# Source: external-secrets/templates/crds/uuid.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: uuids.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: UUID - listKind: UUIDList - plural: uuids - singular: uuid - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: UUIDSpec controls the behavior of the uuid generator. - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-vaultdynamicsecrets.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-vaultdynamicsecrets.generators.external-secrets.io deleted file mode 100644 index 3607d78b..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-vaultdynamicsecrets.generators.external-secrets.io +++ /dev/null @@ -1,875 +0,0 @@ ---- -# Source: external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret. - properties: - allowEmptyResponse: - default: false - description: Do not fail if no secrets are found. Useful for requests where no data is expected. - type: boolean - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default, it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - Additionally, accessing the raw response is possibly by using "Raw" result type. - enum: - - Data - - Auth - - Raw - type: string - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/apps/external-secrets/manifests/CustomResourceDefinition-webhooks.generators.external-secrets.io b/apps/external-secrets/manifests/CustomResourceDefinition-webhooks.generators.external-secrets.io deleted file mode 100644 index e3a6c488..00000000 --- a/apps/external-secrets/manifests/CustomResourceDefinition-webhooks.generators.external-secrets.io +++ /dev/null @@ -1,223 +0,0 @@ ---- -# Source: external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Webhook - listKind: WebhookList - plural: webhooks - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret reference that will be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {}