1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: clusterexternalsecrets.external-secrets.io
8spec:
9 group: external-secrets.io
10 names:
11 categories:
12 - externalsecrets
13 kind: ClusterExternalSecret
14 listKind: ClusterExternalSecretList
15 plural: clusterexternalsecrets
16 shortNames:
17 - ces
18 singular: clusterexternalsecret
19 scope: Cluster
20 versions:
21 - additionalPrinterColumns:
22 - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
23 name: Store
24 type: string
25 - jsonPath: .spec.refreshTime
26 name: Refresh Interval
27 type: string
28 - jsonPath: .status.conditions[?(@.type=="Ready")].status
29 name: Ready
30 type: string
31 name: v1beta1
32 schema:
33 openAPIV3Schema:
34 description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
35 API.
36 properties:
37 apiVersion:
38 description: |-
39 APIVersion defines the versioned schema of this representation of an object.
40 Servers should convert recognized schemas to the latest internal value, and
41 may reject unrecognized values.
42 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
43 type: string
44 kind:
45 description: |-
46 Kind is a string value representing the REST resource this object represents.
47 Servers may infer this from the endpoint the client submits requests to.
48 Cannot be updated.
49 In CamelCase.
50 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
51 type: string
52 metadata:
53 type: object
54 spec:
55 description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
56 properties:
57 externalSecretMetadata:
58 description: The metadata of the external secrets to be created
59 properties:
60 annotations:
61 additionalProperties:
62 type: string
63 type: object
64 labels:
65 additionalProperties:
66 type: string
67 type: object
68 type: object
69 externalSecretName:
70 description: The name of the external secrets to be created defaults
71 to the name of the ClusterExternalSecret
72 type: string
73 externalSecretSpec:
74 description: The spec for the ExternalSecrets to be created
75 properties:
76 data:
77 description: Data defines the connection between the Kubernetes
78 Secret keys and the Provider data
79 items:
80 description: ExternalSecretData defines the connection between
81 the Kubernetes Secret key (spec.data.<key>) and the Provider
82 data.
83 properties:
84 remoteRef:
85 description: |-
86 RemoteRef points to the remote secret and defines
87 which secret (version/property/..) to fetch.
88 properties:
89 conversionStrategy:
90 default: Default
91 description: Used to define a conversion Strategy
92 enum:
93 - Default
94 - Unicode
95 type: string
96 decodingStrategy:
97 default: None
98 description: Used to define a decoding Strategy
99 enum:
100 - Auto
101 - Base64
102 - Base64URL
103 - None
104 type: string
105 key:
106 description: Key is the key used in the Provider, mandatory
107 type: string
108 metadataPolicy:
109 default: None
110 description: Policy for fetching tags/labels from provider
111 secrets, possible options are Fetch, None. Defaults
112 to None
113 enum:
114 - None
115 - Fetch
116 type: string
117 property:
118 description: Used to select a specific property of the
119 Provider value (if a map), if supported
120 type: string
121 version:
122 description: Used to select a specific version of the
123 Provider value, if supported
124 type: string
125 required:
126 - key
127 type: object
128 secretKey:
129 description: |-
130 SecretKey defines the key in which the controller stores
131 the value. This is the key in the Kind=Secret
132 type: string
133 sourceRef:
134 description: |-
135 SourceRef allows you to override the source
136 from which the value will pulled from.
137 maxProperties: 1
138 properties:
139 generatorRef:
140 description: |-
141 GeneratorRef points to a generator custom resource.
142
143
144 Deprecated: The generatorRef is not implemented in .data[].
145 this will be removed with v1.
146 properties:
147 apiVersion:
148 default: generators.external-secrets.io/v1alpha1
149 description: Specify the apiVersion of the generator
150 resource
151 type: string
152 kind:
153 description: Specify the Kind of the resource, e.g.
154 Password, ACRAccessToken etc.
155 type: string
156 name:
157 description: Specify the name of the generator resource
158 type: string
159 required:
160 - kind
161 - name
162 type: object
163 storeRef:
164 description: SecretStoreRef defines which SecretStore
165 to fetch the ExternalSecret data.
166 properties:
167 kind:
168 description: |-
169 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
170 Defaults to `SecretStore`
171 type: string
172 name:
173 description: Name of the SecretStore resource
174 type: string
175 required:
176 - name
177 type: object
178 type: object
179 required:
180 - remoteRef
181 - secretKey
182 type: object
183 type: array
184 dataFrom:
185 description: |-
186 DataFrom is used to fetch all properties from a specific Provider data
187 If multiple entries are specified, the Secret keys are merged in the specified order
188 items:
189 properties:
190 extract:
191 description: |-
192 Used to extract multiple key/value pairs from one secret
193 Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
194 properties:
195 conversionStrategy:
196 default: Default
197 description: Used to define a conversion Strategy
198 enum:
199 - Default
200 - Unicode
201 type: string
202 decodingStrategy:
203 default: None
204 description: Used to define a decoding Strategy
205 enum:
206 - Auto
207 - Base64
208 - Base64URL
209 - None
210 type: string
211 key:
212 description: Key is the key used in the Provider, mandatory
213 type: string
214 metadataPolicy:
215 default: None
216 description: Policy for fetching tags/labels from provider
217 secrets, possible options are Fetch, None. Defaults
218 to None
219 enum:
220 - None
221 - Fetch
222 type: string
223 property:
224 description: Used to select a specific property of the
225 Provider value (if a map), if supported
226 type: string
227 version:
228 description: Used to select a specific version of the
229 Provider value, if supported
230 type: string
231 required:
232 - key
233 type: object
234 find:
235 description: |-
236 Used to find secrets based on tags or regular expressions
237 Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
238 properties:
239 conversionStrategy:
240 default: Default
241 description: Used to define a conversion Strategy
242 enum:
243 - Default
244 - Unicode
245 type: string
246 decodingStrategy:
247 default: None
248 description: Used to define a decoding Strategy
249 enum:
250 - Auto
251 - Base64
252 - Base64URL
253 - None
254 type: string
255 name:
256 description: Finds secrets based on the name.
257 properties:
258 regexp:
259 description: Finds secrets base
260 type: string
261 type: object
262 path:
263 description: A root path to start the find operations.
264 type: string
265 tags:
266 additionalProperties:
267 type: string
268 description: Find secrets based on tags.
269 type: object
270 type: object
271 rewrite:
272 description: |-
273 Used to rewrite secret Keys after getting them from the secret Provider
274 Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
275 items:
276 properties:
277 regexp:
278 description: |-
279 Used to rewrite with regular expressions.
280 The resulting key will be the output of a regexp.ReplaceAll operation.
281 properties:
282 source:
283 description: Used to define the regular expression
284 of a re.Compiler.
285 type: string
286 target:
287 description: Used to define the target pattern
288 of a ReplaceAll operation.
289 type: string
290 required:
291 - source
292 - target
293 type: object
294 transform:
295 description: |-
296 Used to apply string transformation on the secrets.
297 The resulting key will be the output of the template applied by the operation.
298 properties:
299 template:
300 description: |-
301 Used to define the template to apply on the secret name.
302 `.value ` will specify the secret name in the template.
303 type: string
304 required:
305 - template
306 type: object
307 type: object
308 type: array
309 sourceRef:
310 description: |-
311 SourceRef points to a store or generator
312 which contains secret values ready to use.
313 Use this in combination with Extract or Find pull values out of
314 a specific SecretStore.
315 When sourceRef points to a generator Extract or Find is not supported.
316 The generator returns a static map of values
317 maxProperties: 1
318 properties:
319 generatorRef:
320 description: GeneratorRef points to a generator custom
321 resource.
322 properties:
323 apiVersion:
324 default: generators.external-secrets.io/v1alpha1
325 description: Specify the apiVersion of the generator
326 resource
327 type: string
328 kind:
329 description: Specify the Kind of the resource, e.g.
330 Password, ACRAccessToken etc.
331 type: string
332 name:
333 description: Specify the name of the generator resource
334 type: string
335 required:
336 - kind
337 - name
338 type: object
339 storeRef:
340 description: SecretStoreRef defines which SecretStore
341 to fetch the ExternalSecret data.
342 properties:
343 kind:
344 description: |-
345 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
346 Defaults to `SecretStore`
347 type: string
348 name:
349 description: Name of the SecretStore resource
350 type: string
351 required:
352 - name
353 type: object
354 type: object
355 type: object
356 type: array
357 refreshInterval:
358 default: 1h
359 description: |-
360 RefreshInterval is the amount of time before the values are read again from the SecretStore provider
361 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
362 May be set to zero to fetch and create it once. Defaults to 1h.
363 type: string
364 secretStoreRef:
365 description: SecretStoreRef defines which SecretStore to fetch
366 the ExternalSecret data.
367 properties:
368 kind:
369 description: |-
370 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
371 Defaults to `SecretStore`
372 type: string
373 name:
374 description: Name of the SecretStore resource
375 type: string
376 required:
377 - name
378 type: object
379 target:
380 default:
381 creationPolicy: Owner
382 deletionPolicy: Retain
383 description: |-
384 ExternalSecretTarget defines the Kubernetes Secret to be created
385 There can be only one target per ExternalSecret.
386 properties:
387 creationPolicy:
388 default: Owner
389 description: |-
390 CreationPolicy defines rules on how to create the resulting Secret
391 Defaults to 'Owner'
392 enum:
393 - Owner
394 - Orphan
395 - Merge
396 - None
397 type: string
398 deletionPolicy:
399 default: Retain
400 description: |-
401 DeletionPolicy defines rules on how to delete the resulting Secret
402 Defaults to 'Retain'
403 enum:
404 - Delete
405 - Merge
406 - Retain
407 type: string
408 immutable:
409 description: Immutable defines if the final secret will be
410 immutable
411 type: boolean
412 name:
413 description: |-
414 Name defines the name of the Secret resource to be managed
415 This field is immutable
416 Defaults to the .metadata.name of the ExternalSecret resource
417 type: string
418 template:
419 description: Template defines a blueprint for the created
420 Secret resource.
421 properties:
422 data:
423 additionalProperties:
424 type: string
425 type: object
426 engineVersion:
427 default: v2
428 description: |-
429 EngineVersion specifies the template engine version
430 that should be used to compile/execute the
431 template specified in .data and .templateFrom[].
432 enum:
433 - v1
434 - v2
435 type: string
436 mergePolicy:
437 default: Replace
438 enum:
439 - Replace
440 - Merge
441 type: string
442 metadata:
443 description: ExternalSecretTemplateMetadata defines metadata
444 fields for the Secret blueprint.
445 properties:
446 annotations:
447 additionalProperties:
448 type: string
449 type: object
450 labels:
451 additionalProperties:
452 type: string
453 type: object
454 type: object
455 templateFrom:
456 items:
457 properties:
458 configMap:
459 properties:
460 items:
461 items:
462 properties:
463 key:
464 type: string
465 templateAs:
466 default: Values
467 enum:
468 - Values
469 - KeysAndValues
470 type: string
471 required:
472 - key
473 type: object
474 type: array
475 name:
476 type: string
477 required:
478 - items
479 - name
480 type: object
481 literal:
482 type: string
483 secret:
484 properties:
485 items:
486 items:
487 properties:
488 key:
489 type: string
490 templateAs:
491 default: Values
492 enum:
493 - Values
494 - KeysAndValues
495 type: string
496 required:
497 - key
498 type: object
499 type: array
500 name:
501 type: string
502 required:
503 - items
504 - name
505 type: object
506 target:
507 default: Data
508 enum:
509 - Data
510 - Annotations
511 - Labels
512 type: string
513 type: object
514 type: array
515 type:
516 type: string
517 type: object
518 type: object
519 type: object
520 namespaceSelector:
521 description: |-
522 The labels to select by to find the Namespaces to create the ExternalSecrets in.
523 Deprecated: Use NamespaceSelectors instead.
524 properties:
525 matchExpressions:
526 description: matchExpressions is a list of label selector requirements.
527 The requirements are ANDed.
528 items:
529 description: |-
530 A label selector requirement is a selector that contains values, a key, and an operator that
531 relates the key and values.
532 properties:
533 key:
534 description: key is the label key that the selector applies
535 to.
536 type: string
537 operator:
538 description: |-
539 operator represents a key's relationship to a set of values.
540 Valid operators are In, NotIn, Exists and DoesNotExist.
541 type: string
542 values:
543 description: |-
544 values is an array of string values. If the operator is In or NotIn,
545 the values array must be non-empty. If the operator is Exists or DoesNotExist,
546 the values array must be empty. This array is replaced during a strategic
547 merge patch.
548 items:
549 type: string
550 type: array
551 x-kubernetes-list-type: atomic
552 required:
553 - key
554 - operator
555 type: object
556 type: array
557 x-kubernetes-list-type: atomic
558 matchLabels:
559 additionalProperties:
560 type: string
561 description: |-
562 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
563 map is equivalent to an element of matchExpressions, whose key field is "key", the
564 operator is "In", and the values array contains only "value". The requirements are ANDed.
565 type: object
566 type: object
567 x-kubernetes-map-type: atomic
568 namespaceSelectors:
569 description: A list of labels to select by to find the Namespaces
570 to create the ExternalSecrets in. The selectors are ORed.
571 items:
572 description: |-
573 A label selector is a label query over a set of resources. The result of matchLabels and
574 matchExpressions are ANDed. An empty label selector matches all objects. A null
575 label selector matches no objects.
576 properties:
577 matchExpressions:
578 description: matchExpressions is a list of label selector requirements.
579 The requirements are ANDed.
580 items:
581 description: |-
582 A label selector requirement is a selector that contains values, a key, and an operator that
583 relates the key and values.
584 properties:
585 key:
586 description: key is the label key that the selector applies
587 to.
588 type: string
589 operator:
590 description: |-
591 operator represents a key's relationship to a set of values.
592 Valid operators are In, NotIn, Exists and DoesNotExist.
593 type: string
594 values:
595 description: |-
596 values is an array of string values. If the operator is In or NotIn,
597 the values array must be non-empty. If the operator is Exists or DoesNotExist,
598 the values array must be empty. This array is replaced during a strategic
599 merge patch.
600 items:
601 type: string
602 type: array
603 x-kubernetes-list-type: atomic
604 required:
605 - key
606 - operator
607 type: object
608 type: array
609 x-kubernetes-list-type: atomic
610 matchLabels:
611 additionalProperties:
612 type: string
613 description: |-
614 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
615 map is equivalent to an element of matchExpressions, whose key field is "key", the
616 operator is "In", and the values array contains only "value". The requirements are ANDed.
617 type: object
618 type: object
619 x-kubernetes-map-type: atomic
620 type: array
621 namespaces:
622 description: Choose namespaces by name. This field is ORed with anything
623 that NamespaceSelector ends up choosing.
624 items:
625 type: string
626 type: array
627 refreshTime:
628 description: The time in which the controller should reconcile its
629 objects and recheck namespaces for labels.
630 type: string
631 required:
632 - externalSecretSpec
633 type: object
634 status:
635 description: ClusterExternalSecretStatus defines the observed state of
636 ClusterExternalSecret.
637 properties:
638 conditions:
639 items:
640 properties:
641 message:
642 type: string
643 status:
644 type: string
645 type:
646 type: string
647 required:
648 - status
649 - type
650 type: object
651 type: array
652 externalSecretName:
653 description: ExternalSecretName is the name of the ExternalSecrets
654 created by the ClusterExternalSecret
655 type: string
656 failedNamespaces:
657 description: Failed namespaces are the namespaces that failed to apply
658 an ExternalSecret
659 items:
660 description: ClusterExternalSecretNamespaceFailure represents a
661 failed namespace deployment and it's reason.
662 properties:
663 namespace:
664 description: Namespace is the namespace that failed when trying
665 to apply an ExternalSecret
666 type: string
667 reason:
668 description: Reason is why the ExternalSecret failed to apply
669 to the namespace
670 type: string
671 required:
672 - namespace
673 type: object
674 type: array
675 provisionedNamespaces:
676 description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
677 has secrets
678 items:
679 type: string
680 type: array
681 type: object
682 type: object
683 served: true
684 storage: true
685 subresources:
686 status: {}
View as plain text