1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: clustersecretstores.external-secrets.io
8spec:
9 group: external-secrets.io
10 names:
11 categories:
12 - externalsecrets
13 kind: ClusterSecretStore
14 listKind: ClusterSecretStoreList
15 plural: clustersecretstores
16 shortNames:
17 - css
18 singular: clustersecretstore
19 scope: Cluster
20 versions:
21 - additionalPrinterColumns:
22 - jsonPath: .metadata.creationTimestamp
23 name: AGE
24 type: date
25 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
26 name: Status
27 type: string
28 deprecated: true
29 name: v1alpha1
30 schema:
31 openAPIV3Schema:
32 description: ClusterSecretStore represents a secure external location for
33 storing secrets, which can be referenced as part of `storeRef` fields.
34 properties:
35 apiVersion:
36 description: |-
37 APIVersion defines the versioned schema of this representation of an object.
38 Servers should convert recognized schemas to the latest internal value, and
39 may reject unrecognized values.
40 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
41 type: string
42 kind:
43 description: |-
44 Kind is a string value representing the REST resource this object represents.
45 Servers may infer this from the endpoint the client submits requests to.
46 Cannot be updated.
47 In CamelCase.
48 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
49 type: string
50 metadata:
51 type: object
52 spec:
53 description: SecretStoreSpec defines the desired state of SecretStore.
54 properties:
55 controller:
56 description: |-
57 Used to select the correct ESO controller (think: ingress.ingressClassName)
58 The ESO controller is instantiated with a specific controller name and filters ES based on this property
59 type: string
60 provider:
61 description: Used to configure the provider. Only one provider may
62 be set
63 maxProperties: 1
64 minProperties: 1
65 properties:
66 akeyless:
67 description: Akeyless configures this store to sync secrets using
68 Akeyless Vault provider
69 properties:
70 akeylessGWApiURL:
71 description: Akeyless GW API Url from which the secrets to
72 be fetched from.
73 type: string
74 authSecretRef:
75 description: Auth configures how the operator authenticates
76 with Akeyless.
77 properties:
78 kubernetesAuth:
79 description: |-
80 Kubernetes authenticates with Akeyless by passing the ServiceAccount
81 token stored in the named Secret resource.
82 properties:
83 accessID:
84 description: the Akeyless Kubernetes auth-method access-id
85 type: string
86 k8sConfName:
87 description: Kubernetes-auth configuration name in
88 Akeyless-Gateway
89 type: string
90 secretRef:
91 description: |-
92 Optional secret field containing a Kubernetes ServiceAccount JWT used
93 for authenticating with Akeyless. If a name is specified without a key,
94 `token` is the default. If one is not specified, the one bound to
95 the controller will be used.
96 properties:
97 key:
98 description: |-
99 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
100 defaulted, in others it may be required.
101 type: string
102 name:
103 description: The name of the Secret resource being
104 referred to.
105 type: string
106 namespace:
107 description: |-
108 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
109 to the namespace of the referent.
110 type: string
111 type: object
112 serviceAccountRef:
113 description: |-
114 Optional service account field containing the name of a kubernetes ServiceAccount.
115 If the service account is specified, the service account secret token JWT will be used
116 for authenticating with Akeyless. If the service account selector is not supplied,
117 the secretRef will be used instead.
118 properties:
119 audiences:
120 description: |-
121 Audience specifies the `aud` claim for the service account token
122 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
123 then this audiences will be appended to the list
124 items:
125 type: string
126 type: array
127 name:
128 description: The name of the ServiceAccount resource
129 being referred to.
130 type: string
131 namespace:
132 description: |-
133 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
134 to the namespace of the referent.
135 type: string
136 required:
137 - name
138 type: object
139 required:
140 - accessID
141 - k8sConfName
142 type: object
143 secretRef:
144 description: |-
145 Reference to a Secret that contains the details
146 to authenticate with Akeyless.
147 properties:
148 accessID:
149 description: The SecretAccessID is used for authentication
150 properties:
151 key:
152 description: |-
153 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
154 defaulted, in others it may be required.
155 type: string
156 name:
157 description: The name of the Secret resource being
158 referred to.
159 type: string
160 namespace:
161 description: |-
162 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
163 to the namespace of the referent.
164 type: string
165 type: object
166 accessType:
167 description: |-
168 A reference to a specific 'key' within a Secret resource,
169 In some instances, `key` is a required field.
170 properties:
171 key:
172 description: |-
173 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
174 defaulted, in others it may be required.
175 type: string
176 name:
177 description: The name of the Secret resource being
178 referred to.
179 type: string
180 namespace:
181 description: |-
182 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
183 to the namespace of the referent.
184 type: string
185 type: object
186 accessTypeParam:
187 description: |-
188 A reference to a specific 'key' within a Secret resource,
189 In some instances, `key` is a required field.
190 properties:
191 key:
192 description: |-
193 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
194 defaulted, in others it may be required.
195 type: string
196 name:
197 description: The name of the Secret resource being
198 referred to.
199 type: string
200 namespace:
201 description: |-
202 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
203 to the namespace of the referent.
204 type: string
205 type: object
206 type: object
207 type: object
208 caBundle:
209 description: |-
210 PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
211 if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
212 are used to validate the TLS connection.
213 format: byte
214 type: string
215 caProvider:
216 description: The provider for the CA bundle to use to validate
217 Akeyless Gateway certificate.
218 properties:
219 key:
220 description: The key the value inside of the provider
221 type to use, only used with "Secret" type
222 type: string
223 name:
224 description: The name of the object located at the provider
225 type.
226 type: string
227 namespace:
228 description: The namespace the Provider type is in.
229 type: string
230 type:
231 description: The type of provider to use such as "Secret",
232 or "ConfigMap".
233 enum:
234 - Secret
235 - ConfigMap
236 type: string
237 required:
238 - name
239 - type
240 type: object
241 required:
242 - akeylessGWApiURL
243 - authSecretRef
244 type: object
245 alibaba:
246 description: Alibaba configures this store to sync secrets using
247 Alibaba Cloud provider
248 properties:
249 auth:
250 description: AlibabaAuth contains a secretRef for credentials.
251 properties:
252 rrsa:
253 description: Authenticate against Alibaba using RRSA.
254 properties:
255 oidcProviderArn:
256 type: string
257 oidcTokenFilePath:
258 type: string
259 roleArn:
260 type: string
261 sessionName:
262 type: string
263 required:
264 - oidcProviderArn
265 - oidcTokenFilePath
266 - roleArn
267 - sessionName
268 type: object
269 secretRef:
270 description: AlibabaAuthSecretRef holds secret references
271 for Alibaba credentials.
272 properties:
273 accessKeyIDSecretRef:
274 description: The AccessKeyID is used for authentication
275 properties:
276 key:
277 description: |-
278 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
279 defaulted, in others it may be required.
280 type: string
281 name:
282 description: The name of the Secret resource being
283 referred to.
284 type: string
285 namespace:
286 description: |-
287 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
288 to the namespace of the referent.
289 type: string
290 type: object
291 accessKeySecretSecretRef:
292 description: The AccessKeySecret is used for authentication
293 properties:
294 key:
295 description: |-
296 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
297 defaulted, in others it may be required.
298 type: string
299 name:
300 description: The name of the Secret resource being
301 referred to.
302 type: string
303 namespace:
304 description: |-
305 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
306 to the namespace of the referent.
307 type: string
308 type: object
309 required:
310 - accessKeyIDSecretRef
311 - accessKeySecretSecretRef
312 type: object
313 type: object
314 regionID:
315 description: Alibaba Region to be used for the provider
316 type: string
317 required:
318 - auth
319 - regionID
320 type: object
321 aws:
322 description: AWS configures this store to sync secrets using AWS
323 Secret Manager provider
324 properties:
325 auth:
326 description: |-
327 Auth defines the information necessary to authenticate against AWS
328 if not set aws sdk will infer credentials from your environment
329 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
330 properties:
331 jwt:
332 description: Authenticate against AWS using service account
333 tokens.
334 properties:
335 serviceAccountRef:
336 description: A reference to a ServiceAccount resource.
337 properties:
338 audiences:
339 description: |-
340 Audience specifies the `aud` claim for the service account token
341 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
342 then this audiences will be appended to the list
343 items:
344 type: string
345 type: array
346 name:
347 description: The name of the ServiceAccount resource
348 being referred to.
349 type: string
350 namespace:
351 description: |-
352 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
353 to the namespace of the referent.
354 type: string
355 required:
356 - name
357 type: object
358 type: object
359 secretRef:
360 description: |-
361 AWSAuthSecretRef holds secret references for AWS credentials
362 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
363 properties:
364 accessKeyIDSecretRef:
365 description: The AccessKeyID is used for authentication
366 properties:
367 key:
368 description: |-
369 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
370 defaulted, in others it may be required.
371 type: string
372 name:
373 description: The name of the Secret resource being
374 referred to.
375 type: string
376 namespace:
377 description: |-
378 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
379 to the namespace of the referent.
380 type: string
381 type: object
382 secretAccessKeySecretRef:
383 description: The SecretAccessKey is used for authentication
384 properties:
385 key:
386 description: |-
387 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
388 defaulted, in others it may be required.
389 type: string
390 name:
391 description: The name of the Secret resource being
392 referred to.
393 type: string
394 namespace:
395 description: |-
396 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
397 to the namespace of the referent.
398 type: string
399 type: object
400 type: object
401 type: object
402 region:
403 description: AWS Region to be used for the provider
404 type: string
405 role:
406 description: Role is a Role ARN which the SecretManager provider
407 will assume
408 type: string
409 service:
410 description: Service defines which service should be used
411 to fetch the secrets
412 enum:
413 - SecretsManager
414 - ParameterStore
415 type: string
416 required:
417 - region
418 - service
419 type: object
420 azurekv:
421 description: AzureKV configures this store to sync secrets using
422 Azure Key Vault provider
423 properties:
424 authSecretRef:
425 description: Auth configures how the operator authenticates
426 with Azure. Required for ServicePrincipal auth type.
427 properties:
428 clientId:
429 description: The Azure clientId of the service principle
430 used for authentication.
431 properties:
432 key:
433 description: |-
434 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
435 defaulted, in others it may be required.
436 type: string
437 name:
438 description: The name of the Secret resource being
439 referred to.
440 type: string
441 namespace:
442 description: |-
443 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
444 to the namespace of the referent.
445 type: string
446 type: object
447 clientSecret:
448 description: The Azure ClientSecret of the service principle
449 used for authentication.
450 properties:
451 key:
452 description: |-
453 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
454 defaulted, in others it may be required.
455 type: string
456 name:
457 description: The name of the Secret resource being
458 referred to.
459 type: string
460 namespace:
461 description: |-
462 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
463 to the namespace of the referent.
464 type: string
465 type: object
466 type: object
467 authType:
468 default: ServicePrincipal
469 description: |-
470 Auth type defines how to authenticate to the keyvault service.
471 Valid values are:
472 - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
473 - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
474 enum:
475 - ServicePrincipal
476 - ManagedIdentity
477 - WorkloadIdentity
478 type: string
479 identityId:
480 description: If multiple Managed Identity is assigned to the
481 pod, you can select the one to be used
482 type: string
483 serviceAccountRef:
484 description: |-
485 ServiceAccountRef specified the service account
486 that should be used when authenticating with WorkloadIdentity.
487 properties:
488 audiences:
489 description: |-
490 Audience specifies the `aud` claim for the service account token
491 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
492 then this audiences will be appended to the list
493 items:
494 type: string
495 type: array
496 name:
497 description: The name of the ServiceAccount resource being
498 referred to.
499 type: string
500 namespace:
501 description: |-
502 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
503 to the namespace of the referent.
504 type: string
505 required:
506 - name
507 type: object
508 tenantId:
509 description: TenantID configures the Azure Tenant to send
510 requests to. Required for ServicePrincipal auth type.
511 type: string
512 vaultUrl:
513 description: Vault Url from which the secrets to be fetched
514 from.
515 type: string
516 required:
517 - vaultUrl
518 type: object
519 fake:
520 description: Fake configures a store with static key/value pairs
521 properties:
522 data:
523 items:
524 properties:
525 key:
526 type: string
527 value:
528 type: string
529 valueMap:
530 additionalProperties:
531 type: string
532 type: object
533 version:
534 type: string
535 required:
536 - key
537 type: object
538 type: array
539 required:
540 - data
541 type: object
542 gcpsm:
543 description: GCPSM configures this store to sync secrets using
544 Google Cloud Platform Secret Manager provider
545 properties:
546 auth:
547 description: Auth defines the information necessary to authenticate
548 against GCP
549 properties:
550 secretRef:
551 properties:
552 secretAccessKeySecretRef:
553 description: The SecretAccessKey is used for authentication
554 properties:
555 key:
556 description: |-
557 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
558 defaulted, in others it may be required.
559 type: string
560 name:
561 description: The name of the Secret resource being
562 referred to.
563 type: string
564 namespace:
565 description: |-
566 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
567 to the namespace of the referent.
568 type: string
569 type: object
570 type: object
571 workloadIdentity:
572 properties:
573 clusterLocation:
574 type: string
575 clusterName:
576 type: string
577 clusterProjectID:
578 type: string
579 serviceAccountRef:
580 description: A reference to a ServiceAccount resource.
581 properties:
582 audiences:
583 description: |-
584 Audience specifies the `aud` claim for the service account token
585 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
586 then this audiences will be appended to the list
587 items:
588 type: string
589 type: array
590 name:
591 description: The name of the ServiceAccount resource
592 being referred to.
593 type: string
594 namespace:
595 description: |-
596 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
597 to the namespace of the referent.
598 type: string
599 required:
600 - name
601 type: object
602 required:
603 - clusterLocation
604 - clusterName
605 - serviceAccountRef
606 type: object
607 type: object
608 projectID:
609 description: ProjectID project where secret is located
610 type: string
611 type: object
612 gitlab:
613 description: GitLab configures this store to sync secrets using
614 GitLab Variables provider
615 properties:
616 auth:
617 description: Auth configures how secret-manager authenticates
618 with a GitLab instance.
619 properties:
620 SecretRef:
621 properties:
622 accessToken:
623 description: AccessToken is used for authentication.
624 properties:
625 key:
626 description: |-
627 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
628 defaulted, in others it may be required.
629 type: string
630 name:
631 description: The name of the Secret resource being
632 referred to.
633 type: string
634 namespace:
635 description: |-
636 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
637 to the namespace of the referent.
638 type: string
639 type: object
640 type: object
641 required:
642 - SecretRef
643 type: object
644 projectID:
645 description: ProjectID specifies a project where secrets are
646 located.
647 type: string
648 url:
649 description: URL configures the GitLab instance URL. Defaults
650 to https://gitlab.com/.
651 type: string
652 required:
653 - auth
654 type: object
655 ibm:
656 description: IBM configures this store to sync secrets using IBM
657 Cloud provider
658 properties:
659 auth:
660 description: Auth configures how secret-manager authenticates
661 with the IBM secrets manager.
662 properties:
663 secretRef:
664 properties:
665 secretApiKeySecretRef:
666 description: The SecretAccessKey is used for authentication
667 properties:
668 key:
669 description: |-
670 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
671 defaulted, in others it may be required.
672 type: string
673 name:
674 description: The name of the Secret resource being
675 referred to.
676 type: string
677 namespace:
678 description: |-
679 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
680 to the namespace of the referent.
681 type: string
682 type: object
683 type: object
684 required:
685 - secretRef
686 type: object
687 serviceUrl:
688 description: ServiceURL is the Endpoint URL that is specific
689 to the Secrets Manager service instance
690 type: string
691 required:
692 - auth
693 type: object
694 kubernetes:
695 description: Kubernetes configures this store to sync secrets
696 using a Kubernetes cluster provider
697 properties:
698 auth:
699 description: Auth configures how secret-manager authenticates
700 with a Kubernetes instance.
701 maxProperties: 1
702 minProperties: 1
703 properties:
704 cert:
705 description: has both clientCert and clientKey as secretKeySelector
706 properties:
707 clientCert:
708 description: |-
709 A reference to a specific 'key' within a Secret resource,
710 In some instances, `key` is a required field.
711 properties:
712 key:
713 description: |-
714 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
715 defaulted, in others it may be required.
716 type: string
717 name:
718 description: The name of the Secret resource being
719 referred to.
720 type: string
721 namespace:
722 description: |-
723 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
724 to the namespace of the referent.
725 type: string
726 type: object
727 clientKey:
728 description: |-
729 A reference to a specific 'key' within a Secret resource,
730 In some instances, `key` is a required field.
731 properties:
732 key:
733 description: |-
734 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
735 defaulted, in others it may be required.
736 type: string
737 name:
738 description: The name of the Secret resource being
739 referred to.
740 type: string
741 namespace:
742 description: |-
743 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
744 to the namespace of the referent.
745 type: string
746 type: object
747 type: object
748 serviceAccount:
749 description: points to a service account that should be
750 used for authentication
751 properties:
752 serviceAccount:
753 description: A reference to a ServiceAccount resource.
754 properties:
755 audiences:
756 description: |-
757 Audience specifies the `aud` claim for the service account token
758 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
759 then this audiences will be appended to the list
760 items:
761 type: string
762 type: array
763 name:
764 description: The name of the ServiceAccount resource
765 being referred to.
766 type: string
767 namespace:
768 description: |-
769 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
770 to the namespace of the referent.
771 type: string
772 required:
773 - name
774 type: object
775 type: object
776 token:
777 description: use static token to authenticate with
778 properties:
779 bearerToken:
780 description: |-
781 A reference to a specific 'key' within a Secret resource,
782 In some instances, `key` is a required field.
783 properties:
784 key:
785 description: |-
786 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
787 defaulted, in others it may be required.
788 type: string
789 name:
790 description: The name of the Secret resource being
791 referred to.
792 type: string
793 namespace:
794 description: |-
795 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
796 to the namespace of the referent.
797 type: string
798 type: object
799 type: object
800 type: object
801 remoteNamespace:
802 default: default
803 description: Remote namespace to fetch the secrets from
804 type: string
805 server:
806 description: configures the Kubernetes server Address.
807 properties:
808 caBundle:
809 description: CABundle is a base64-encoded CA certificate
810 format: byte
811 type: string
812 caProvider:
813 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
814 properties:
815 key:
816 description: The key the value inside of the provider
817 type to use, only used with "Secret" type
818 type: string
819 name:
820 description: The name of the object located at the
821 provider type.
822 type: string
823 namespace:
824 description: The namespace the Provider type is in.
825 type: string
826 type:
827 description: The type of provider to use such as "Secret",
828 or "ConfigMap".
829 enum:
830 - Secret
831 - ConfigMap
832 type: string
833 required:
834 - name
835 - type
836 type: object
837 url:
838 default: kubernetes.default
839 description: configures the Kubernetes server Address.
840 type: string
841 type: object
842 required:
843 - auth
844 type: object
845 oracle:
846 description: Oracle configures this store to sync secrets using
847 Oracle Vault provider
848 properties:
849 auth:
850 description: |-
851 Auth configures how secret-manager authenticates with the Oracle Vault.
852 If empty, instance principal is used. Optionally, the authenticating principal type
853 and/or user data may be supplied for the use of workload identity and user principal.
854 properties:
855 secretRef:
856 description: SecretRef to pass through sensitive information.
857 properties:
858 fingerprint:
859 description: Fingerprint is the fingerprint of the
860 API private key.
861 properties:
862 key:
863 description: |-
864 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
865 defaulted, in others it may be required.
866 type: string
867 name:
868 description: The name of the Secret resource being
869 referred to.
870 type: string
871 namespace:
872 description: |-
873 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
874 to the namespace of the referent.
875 type: string
876 type: object
877 privatekey:
878 description: PrivateKey is the user's API Signing
879 Key in PEM format, used for authentication.
880 properties:
881 key:
882 description: |-
883 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
884 defaulted, in others it may be required.
885 type: string
886 name:
887 description: The name of the Secret resource being
888 referred to.
889 type: string
890 namespace:
891 description: |-
892 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
893 to the namespace of the referent.
894 type: string
895 type: object
896 required:
897 - fingerprint
898 - privatekey
899 type: object
900 tenancy:
901 description: Tenancy is the tenancy OCID where user is
902 located.
903 type: string
904 user:
905 description: User is an access OCID specific to the account.
906 type: string
907 required:
908 - secretRef
909 - tenancy
910 - user
911 type: object
912 compartment:
913 description: |-
914 Compartment is the vault compartment OCID.
915 Required for PushSecret
916 type: string
917 encryptionKey:
918 description: |-
919 EncryptionKey is the OCID of the encryption key within the vault.
920 Required for PushSecret
921 type: string
922 principalType:
923 description: |-
924 The type of principal to use for authentication. If left blank, the Auth struct will
925 determine the principal type. This optional field must be specified if using
926 workload identity.
927 enum:
928 - ""
929 - UserPrincipal
930 - InstancePrincipal
931 - Workload
932 type: string
933 region:
934 description: Region is the region where vault is located.
935 type: string
936 serviceAccountRef:
937 description: |-
938 ServiceAccountRef specified the service account
939 that should be used when authenticating with WorkloadIdentity.
940 properties:
941 audiences:
942 description: |-
943 Audience specifies the `aud` claim for the service account token
944 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
945 then this audiences will be appended to the list
946 items:
947 type: string
948 type: array
949 name:
950 description: The name of the ServiceAccount resource being
951 referred to.
952 type: string
953 namespace:
954 description: |-
955 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
956 to the namespace of the referent.
957 type: string
958 required:
959 - name
960 type: object
961 vault:
962 description: Vault is the vault's OCID of the specific vault
963 where secret is located.
964 type: string
965 required:
966 - region
967 - vault
968 type: object
969 passworddepot:
970 description: Configures a store to sync secrets with a Password
971 Depot instance.
972 properties:
973 auth:
974 description: Auth configures how secret-manager authenticates
975 with a Password Depot instance.
976 properties:
977 secretRef:
978 properties:
979 credentials:
980 description: Username / Password is used for authentication.
981 properties:
982 key:
983 description: |-
984 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
985 defaulted, in others it may be required.
986 type: string
987 name:
988 description: The name of the Secret resource being
989 referred to.
990 type: string
991 namespace:
992 description: |-
993 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
994 to the namespace of the referent.
995 type: string
996 type: object
997 type: object
998 required:
999 - secretRef
1000 type: object
1001 database:
1002 description: Database to use as source
1003 type: string
1004 host:
1005 description: URL configures the Password Depot instance URL.
1006 type: string
1007 required:
1008 - auth
1009 - database
1010 - host
1011 type: object
1012 vault:
1013 description: Vault configures this store to sync secrets using
1014 Hashi provider
1015 properties:
1016 auth:
1017 description: Auth configures how secret-manager authenticates
1018 with the Vault server.
1019 properties:
1020 appRole:
1021 description: |-
1022 AppRole authenticates with Vault using the App Role auth mechanism,
1023 with the role and secret stored in a Kubernetes Secret resource.
1024 properties:
1025 path:
1026 default: approle
1027 description: |-
1028 Path where the App Role authentication backend is mounted
1029 in Vault, e.g: "approle"
1030 type: string
1031 roleId:
1032 description: |-
1033 RoleID configured in the App Role authentication backend when setting
1034 up the authentication backend in Vault.
1035 type: string
1036 secretRef:
1037 description: |-
1038 Reference to a key in a Secret that contains the App Role secret used
1039 to authenticate with Vault.
1040 The `key` field must be specified and denotes which entry within the Secret
1041 resource is used as the app role secret.
1042 properties:
1043 key:
1044 description: |-
1045 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1046 defaulted, in others it may be required.
1047 type: string
1048 name:
1049 description: The name of the Secret resource being
1050 referred to.
1051 type: string
1052 namespace:
1053 description: |-
1054 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1055 to the namespace of the referent.
1056 type: string
1057 type: object
1058 required:
1059 - path
1060 - roleId
1061 - secretRef
1062 type: object
1063 cert:
1064 description: |-
1065 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
1066 Cert authentication method
1067 properties:
1068 clientCert:
1069 description: |-
1070 ClientCert is a certificate to authenticate using the Cert Vault
1071 authentication method
1072 properties:
1073 key:
1074 description: |-
1075 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1076 defaulted, in others it may be required.
1077 type: string
1078 name:
1079 description: The name of the Secret resource being
1080 referred to.
1081 type: string
1082 namespace:
1083 description: |-
1084 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1085 to the namespace of the referent.
1086 type: string
1087 type: object
1088 secretRef:
1089 description: |-
1090 SecretRef to a key in a Secret resource containing client private key to
1091 authenticate with Vault using the Cert authentication method
1092 properties:
1093 key:
1094 description: |-
1095 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1096 defaulted, in others it may be required.
1097 type: string
1098 name:
1099 description: The name of the Secret resource being
1100 referred to.
1101 type: string
1102 namespace:
1103 description: |-
1104 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1105 to the namespace of the referent.
1106 type: string
1107 type: object
1108 type: object
1109 jwt:
1110 description: |-
1111 Jwt authenticates with Vault by passing role and JWT token using the
1112 JWT/OIDC authentication method
1113 properties:
1114 kubernetesServiceAccountToken:
1115 description: |-
1116 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
1117 a token for with the `TokenRequest` API.
1118 properties:
1119 audiences:
1120 description: |-
1121 Optional audiences field that will be used to request a temporary Kubernetes service
1122 account token for the service account referenced by `serviceAccountRef`.
1123 Defaults to a single audience `vault` it not specified.
1124 items:
1125 type: string
1126 type: array
1127 expirationSeconds:
1128 description: |-
1129 Optional expiration time in seconds that will be used to request a temporary
1130 Kubernetes service account token for the service account referenced by
1131 `serviceAccountRef`.
1132 Defaults to 10 minutes.
1133 format: int64
1134 type: integer
1135 serviceAccountRef:
1136 description: Service account field containing
1137 the name of a kubernetes ServiceAccount.
1138 properties:
1139 audiences:
1140 description: |-
1141 Audience specifies the `aud` claim for the service account token
1142 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1143 then this audiences will be appended to the list
1144 items:
1145 type: string
1146 type: array
1147 name:
1148 description: The name of the ServiceAccount
1149 resource being referred to.
1150 type: string
1151 namespace:
1152 description: |-
1153 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1154 to the namespace of the referent.
1155 type: string
1156 required:
1157 - name
1158 type: object
1159 required:
1160 - serviceAccountRef
1161 type: object
1162 path:
1163 default: jwt
1164 description: |-
1165 Path where the JWT authentication backend is mounted
1166 in Vault, e.g: "jwt"
1167 type: string
1168 role:
1169 description: |-
1170 Role is a JWT role to authenticate using the JWT/OIDC Vault
1171 authentication method
1172 type: string
1173 secretRef:
1174 description: |-
1175 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
1176 authenticate with Vault using the JWT/OIDC authentication method.
1177 properties:
1178 key:
1179 description: |-
1180 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1181 defaulted, in others it may be required.
1182 type: string
1183 name:
1184 description: The name of the Secret resource being
1185 referred to.
1186 type: string
1187 namespace:
1188 description: |-
1189 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1190 to the namespace of the referent.
1191 type: string
1192 type: object
1193 required:
1194 - path
1195 type: object
1196 kubernetes:
1197 description: |-
1198 Kubernetes authenticates with Vault by passing the ServiceAccount
1199 token stored in the named Secret resource to the Vault server.
1200 properties:
1201 mountPath:
1202 default: kubernetes
1203 description: |-
1204 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
1205 "kubernetes"
1206 type: string
1207 role:
1208 description: |-
1209 A required field containing the Vault Role to assume. A Role binds a
1210 Kubernetes ServiceAccount with a set of Vault policies.
1211 type: string
1212 secretRef:
1213 description: |-
1214 Optional secret field containing a Kubernetes ServiceAccount JWT used
1215 for authenticating with Vault. If a name is specified without a key,
1216 `token` is the default. If one is not specified, the one bound to
1217 the controller will be used.
1218 properties:
1219 key:
1220 description: |-
1221 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1222 defaulted, in others it may be required.
1223 type: string
1224 name:
1225 description: The name of the Secret resource being
1226 referred to.
1227 type: string
1228 namespace:
1229 description: |-
1230 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1231 to the namespace of the referent.
1232 type: string
1233 type: object
1234 serviceAccountRef:
1235 description: |-
1236 Optional service account field containing the name of a kubernetes ServiceAccount.
1237 If the service account is specified, the service account secret token JWT will be used
1238 for authenticating with Vault. If the service account selector is not supplied,
1239 the secretRef will be used instead.
1240 properties:
1241 audiences:
1242 description: |-
1243 Audience specifies the `aud` claim for the service account token
1244 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1245 then this audiences will be appended to the list
1246 items:
1247 type: string
1248 type: array
1249 name:
1250 description: The name of the ServiceAccount resource
1251 being referred to.
1252 type: string
1253 namespace:
1254 description: |-
1255 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1256 to the namespace of the referent.
1257 type: string
1258 required:
1259 - name
1260 type: object
1261 required:
1262 - mountPath
1263 - role
1264 type: object
1265 ldap:
1266 description: |-
1267 Ldap authenticates with Vault by passing username/password pair using
1268 the LDAP authentication method
1269 properties:
1270 path:
1271 default: ldap
1272 description: |-
1273 Path where the LDAP authentication backend is mounted
1274 in Vault, e.g: "ldap"
1275 type: string
1276 secretRef:
1277 description: |-
1278 SecretRef to a key in a Secret resource containing password for the LDAP
1279 user used to authenticate with Vault using the LDAP authentication
1280 method
1281 properties:
1282 key:
1283 description: |-
1284 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1285 defaulted, in others it may be required.
1286 type: string
1287 name:
1288 description: The name of the Secret resource being
1289 referred to.
1290 type: string
1291 namespace:
1292 description: |-
1293 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1294 to the namespace of the referent.
1295 type: string
1296 type: object
1297 username:
1298 description: |-
1299 Username is a LDAP user name used to authenticate using the LDAP Vault
1300 authentication method
1301 type: string
1302 required:
1303 - path
1304 - username
1305 type: object
1306 tokenSecretRef:
1307 description: TokenSecretRef authenticates with Vault by
1308 presenting a token.
1309 properties:
1310 key:
1311 description: |-
1312 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1313 defaulted, in others it may be required.
1314 type: string
1315 name:
1316 description: The name of the Secret resource being
1317 referred to.
1318 type: string
1319 namespace:
1320 description: |-
1321 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1322 to the namespace of the referent.
1323 type: string
1324 type: object
1325 type: object
1326 caBundle:
1327 description: |-
1328 PEM encoded CA bundle used to validate Vault server certificate. Only used
1329 if the Server URL is using HTTPS protocol. This parameter is ignored for
1330 plain HTTP protocol connection. If not set the system root certificates
1331 are used to validate the TLS connection.
1332 format: byte
1333 type: string
1334 caProvider:
1335 description: The provider for the CA bundle to use to validate
1336 Vault server certificate.
1337 properties:
1338 key:
1339 description: The key the value inside of the provider
1340 type to use, only used with "Secret" type
1341 type: string
1342 name:
1343 description: The name of the object located at the provider
1344 type.
1345 type: string
1346 namespace:
1347 description: The namespace the Provider type is in.
1348 type: string
1349 type:
1350 description: The type of provider to use such as "Secret",
1351 or "ConfigMap".
1352 enum:
1353 - Secret
1354 - ConfigMap
1355 type: string
1356 required:
1357 - name
1358 - type
1359 type: object
1360 forwardInconsistent:
1361 description: |-
1362 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
1363 leader instead of simply retrying within a loop. This can increase performance if
1364 the option is enabled serverside.
1365 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
1366 type: boolean
1367 namespace:
1368 description: |-
1369 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
1370 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
1371 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
1372 type: string
1373 path:
1374 description: |-
1375 Path is the mount path of the Vault KV backend endpoint, e.g:
1376 "secret". The v2 KV secret engine version specific "/data" path suffix
1377 for fetching secrets from Vault is optional and will be appended
1378 if not present in specified path.
1379 type: string
1380 readYourWrites:
1381 description: |-
1382 ReadYourWrites ensures isolated read-after-write semantics by
1383 providing discovered cluster replication states in each request.
1384 More information about eventual consistency in Vault can be found here
1385 https://www.vaultproject.io/docs/enterprise/consistency
1386 type: boolean
1387 server:
1388 description: 'Server is the connection address for the Vault
1389 server, e.g: "https://vault.example.com:8200".'
1390 type: string
1391 version:
1392 default: v2
1393 description: |-
1394 Version is the Vault KV secret engine version. This can be either "v1" or
1395 "v2". Version defaults to "v2".
1396 enum:
1397 - v1
1398 - v2
1399 type: string
1400 required:
1401 - auth
1402 - server
1403 type: object
1404 webhook:
1405 description: Webhook configures this store to sync secrets using
1406 a generic templated webhook
1407 properties:
1408 body:
1409 description: Body
1410 type: string
1411 caBundle:
1412 description: |-
1413 PEM encoded CA bundle used to validate webhook server certificate. Only used
1414 if the Server URL is using HTTPS protocol. This parameter is ignored for
1415 plain HTTP protocol connection. If not set the system root certificates
1416 are used to validate the TLS connection.
1417 format: byte
1418 type: string
1419 caProvider:
1420 description: The provider for the CA bundle to use to validate
1421 webhook server certificate.
1422 properties:
1423 key:
1424 description: The key the value inside of the provider
1425 type to use, only used with "Secret" type
1426 type: string
1427 name:
1428 description: The name of the object located at the provider
1429 type.
1430 type: string
1431 namespace:
1432 description: The namespace the Provider type is in.
1433 type: string
1434 type:
1435 description: The type of provider to use such as "Secret",
1436 or "ConfigMap".
1437 enum:
1438 - Secret
1439 - ConfigMap
1440 type: string
1441 required:
1442 - name
1443 - type
1444 type: object
1445 headers:
1446 additionalProperties:
1447 type: string
1448 description: Headers
1449 type: object
1450 method:
1451 description: Webhook Method
1452 type: string
1453 result:
1454 description: Result formatting
1455 properties:
1456 jsonPath:
1457 description: Json path of return value
1458 type: string
1459 type: object
1460 secrets:
1461 description: |-
1462 Secrets to fill in templates
1463 These secrets will be passed to the templating function as key value pairs under the given name
1464 items:
1465 properties:
1466 name:
1467 description: Name of this secret in templates
1468 type: string
1469 secretRef:
1470 description: Secret ref to fill in credentials
1471 properties:
1472 key:
1473 description: |-
1474 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1475 defaulted, in others it may be required.
1476 type: string
1477 name:
1478 description: The name of the Secret resource being
1479 referred to.
1480 type: string
1481 namespace:
1482 description: |-
1483 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1484 to the namespace of the referent.
1485 type: string
1486 type: object
1487 required:
1488 - name
1489 - secretRef
1490 type: object
1491 type: array
1492 timeout:
1493 description: Timeout
1494 type: string
1495 url:
1496 description: Webhook url to call
1497 type: string
1498 required:
1499 - result
1500 - url
1501 type: object
1502 yandexlockbox:
1503 description: YandexLockbox configures this store to sync secrets
1504 using Yandex Lockbox provider
1505 properties:
1506 apiEndpoint:
1507 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
1508 type: string
1509 auth:
1510 description: Auth defines the information necessary to authenticate
1511 against Yandex Lockbox
1512 properties:
1513 authorizedKeySecretRef:
1514 description: The authorized key used for authentication
1515 properties:
1516 key:
1517 description: |-
1518 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1519 defaulted, in others it may be required.
1520 type: string
1521 name:
1522 description: The name of the Secret resource being
1523 referred to.
1524 type: string
1525 namespace:
1526 description: |-
1527 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1528 to the namespace of the referent.
1529 type: string
1530 type: object
1531 type: object
1532 caProvider:
1533 description: The provider for the CA bundle to use to validate
1534 Yandex.Cloud server certificate.
1535 properties:
1536 certSecretRef:
1537 description: |-
1538 A reference to a specific 'key' within a Secret resource,
1539 In some instances, `key` is a required field.
1540 properties:
1541 key:
1542 description: |-
1543 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1544 defaulted, in others it may be required.
1545 type: string
1546 name:
1547 description: The name of the Secret resource being
1548 referred to.
1549 type: string
1550 namespace:
1551 description: |-
1552 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1553 to the namespace of the referent.
1554 type: string
1555 type: object
1556 type: object
1557 required:
1558 - auth
1559 type: object
1560 type: object
1561 retrySettings:
1562 description: Used to configure http retries if failed
1563 properties:
1564 maxRetries:
1565 format: int32
1566 type: integer
1567 retryInterval:
1568 type: string
1569 type: object
1570 required:
1571 - provider
1572 type: object
1573 status:
1574 description: SecretStoreStatus defines the observed state of the SecretStore.
1575 properties:
1576 conditions:
1577 items:
1578 properties:
1579 lastTransitionTime:
1580 format: date-time
1581 type: string
1582 message:
1583 type: string
1584 reason:
1585 type: string
1586 status:
1587 type: string
1588 type:
1589 type: string
1590 required:
1591 - status
1592 - type
1593 type: object
1594 type: array
1595 type: object
1596 type: object
1597 served: true
1598 storage: false
1599 subresources:
1600 status: {}
1601 - additionalPrinterColumns:
1602 - jsonPath: .metadata.creationTimestamp
1603 name: AGE
1604 type: date
1605 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
1606 name: Status
1607 type: string
1608 - jsonPath: .status.capabilities
1609 name: Capabilities
1610 type: string
1611 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1612 name: Ready
1613 type: string
1614 name: v1beta1
1615 schema:
1616 openAPIV3Schema:
1617 description: ClusterSecretStore represents a secure external location for
1618 storing secrets, which can be referenced as part of `storeRef` fields.
1619 properties:
1620 apiVersion:
1621 description: |-
1622 APIVersion defines the versioned schema of this representation of an object.
1623 Servers should convert recognized schemas to the latest internal value, and
1624 may reject unrecognized values.
1625 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
1626 type: string
1627 kind:
1628 description: |-
1629 Kind is a string value representing the REST resource this object represents.
1630 Servers may infer this from the endpoint the client submits requests to.
1631 Cannot be updated.
1632 In CamelCase.
1633 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
1634 type: string
1635 metadata:
1636 type: object
1637 spec:
1638 description: SecretStoreSpec defines the desired state of SecretStore.
1639 properties:
1640 conditions:
1641 description: Used to constraint a ClusterSecretStore to specific namespaces.
1642 Relevant only to ClusterSecretStore
1643 items:
1644 description: |-
1645 ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
1646 for a ClusterSecretStore instance.
1647 properties:
1648 namespaceSelector:
1649 description: Choose namespace using a labelSelector
1650 properties:
1651 matchExpressions:
1652 description: matchExpressions is a list of label selector
1653 requirements. The requirements are ANDed.
1654 items:
1655 description: |-
1656 A label selector requirement is a selector that contains values, a key, and an operator that
1657 relates the key and values.
1658 properties:
1659 key:
1660 description: key is the label key that the selector
1661 applies to.
1662 type: string
1663 operator:
1664 description: |-
1665 operator represents a key's relationship to a set of values.
1666 Valid operators are In, NotIn, Exists and DoesNotExist.
1667 type: string
1668 values:
1669 description: |-
1670 values is an array of string values. If the operator is In or NotIn,
1671 the values array must be non-empty. If the operator is Exists or DoesNotExist,
1672 the values array must be empty. This array is replaced during a strategic
1673 merge patch.
1674 items:
1675 type: string
1676 type: array
1677 x-kubernetes-list-type: atomic
1678 required:
1679 - key
1680 - operator
1681 type: object
1682 type: array
1683 x-kubernetes-list-type: atomic
1684 matchLabels:
1685 additionalProperties:
1686 type: string
1687 description: |-
1688 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1689 map is equivalent to an element of matchExpressions, whose key field is "key", the
1690 operator is "In", and the values array contains only "value". The requirements are ANDed.
1691 type: object
1692 type: object
1693 x-kubernetes-map-type: atomic
1694 namespaces:
1695 description: Choose namespaces by name
1696 items:
1697 type: string
1698 type: array
1699 type: object
1700 type: array
1701 controller:
1702 description: |-
1703 Used to select the correct ESO controller (think: ingress.ingressClassName)
1704 The ESO controller is instantiated with a specific controller name and filters ES based on this property
1705 type: string
1706 provider:
1707 description: Used to configure the provider. Only one provider may
1708 be set
1709 maxProperties: 1
1710 minProperties: 1
1711 properties:
1712 akeyless:
1713 description: Akeyless configures this store to sync secrets using
1714 Akeyless Vault provider
1715 properties:
1716 akeylessGWApiURL:
1717 description: Akeyless GW API Url from which the secrets to
1718 be fetched from.
1719 type: string
1720 authSecretRef:
1721 description: Auth configures how the operator authenticates
1722 with Akeyless.
1723 properties:
1724 kubernetesAuth:
1725 description: |-
1726 Kubernetes authenticates with Akeyless by passing the ServiceAccount
1727 token stored in the named Secret resource.
1728 properties:
1729 accessID:
1730 description: the Akeyless Kubernetes auth-method access-id
1731 type: string
1732 k8sConfName:
1733 description: Kubernetes-auth configuration name in
1734 Akeyless-Gateway
1735 type: string
1736 secretRef:
1737 description: |-
1738 Optional secret field containing a Kubernetes ServiceAccount JWT used
1739 for authenticating with Akeyless. If a name is specified without a key,
1740 `token` is the default. If one is not specified, the one bound to
1741 the controller will be used.
1742 properties:
1743 key:
1744 description: |-
1745 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1746 defaulted, in others it may be required.
1747 type: string
1748 name:
1749 description: The name of the Secret resource being
1750 referred to.
1751 type: string
1752 namespace:
1753 description: |-
1754 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1755 to the namespace of the referent.
1756 type: string
1757 type: object
1758 serviceAccountRef:
1759 description: |-
1760 Optional service account field containing the name of a kubernetes ServiceAccount.
1761 If the service account is specified, the service account secret token JWT will be used
1762 for authenticating with Akeyless. If the service account selector is not supplied,
1763 the secretRef will be used instead.
1764 properties:
1765 audiences:
1766 description: |-
1767 Audience specifies the `aud` claim for the service account token
1768 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1769 then this audiences will be appended to the list
1770 items:
1771 type: string
1772 type: array
1773 name:
1774 description: The name of the ServiceAccount resource
1775 being referred to.
1776 type: string
1777 namespace:
1778 description: |-
1779 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1780 to the namespace of the referent.
1781 type: string
1782 required:
1783 - name
1784 type: object
1785 required:
1786 - accessID
1787 - k8sConfName
1788 type: object
1789 secretRef:
1790 description: |-
1791 Reference to a Secret that contains the details
1792 to authenticate with Akeyless.
1793 properties:
1794 accessID:
1795 description: The SecretAccessID is used for authentication
1796 properties:
1797 key:
1798 description: |-
1799 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1800 defaulted, in others it may be required.
1801 type: string
1802 name:
1803 description: The name of the Secret resource being
1804 referred to.
1805 type: string
1806 namespace:
1807 description: |-
1808 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1809 to the namespace of the referent.
1810 type: string
1811 type: object
1812 accessType:
1813 description: |-
1814 A reference to a specific 'key' within a Secret resource,
1815 In some instances, `key` is a required field.
1816 properties:
1817 key:
1818 description: |-
1819 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1820 defaulted, in others it may be required.
1821 type: string
1822 name:
1823 description: The name of the Secret resource being
1824 referred to.
1825 type: string
1826 namespace:
1827 description: |-
1828 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1829 to the namespace of the referent.
1830 type: string
1831 type: object
1832 accessTypeParam:
1833 description: |-
1834 A reference to a specific 'key' within a Secret resource,
1835 In some instances, `key` is a required field.
1836 properties:
1837 key:
1838 description: |-
1839 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1840 defaulted, in others it may be required.
1841 type: string
1842 name:
1843 description: The name of the Secret resource being
1844 referred to.
1845 type: string
1846 namespace:
1847 description: |-
1848 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1849 to the namespace of the referent.
1850 type: string
1851 type: object
1852 type: object
1853 type: object
1854 caBundle:
1855 description: |-
1856 PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
1857 if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
1858 are used to validate the TLS connection.
1859 format: byte
1860 type: string
1861 caProvider:
1862 description: The provider for the CA bundle to use to validate
1863 Akeyless Gateway certificate.
1864 properties:
1865 key:
1866 description: The key where the CA certificate can be found
1867 in the Secret or ConfigMap.
1868 type: string
1869 name:
1870 description: The name of the object located at the provider
1871 type.
1872 type: string
1873 namespace:
1874 description: |-
1875 The namespace the Provider type is in.
1876 Can only be defined when used in a ClusterSecretStore.
1877 type: string
1878 type:
1879 description: The type of provider to use such as "Secret",
1880 or "ConfigMap".
1881 enum:
1882 - Secret
1883 - ConfigMap
1884 type: string
1885 required:
1886 - name
1887 - type
1888 type: object
1889 required:
1890 - akeylessGWApiURL
1891 - authSecretRef
1892 type: object
1893 alibaba:
1894 description: Alibaba configures this store to sync secrets using
1895 Alibaba Cloud provider
1896 properties:
1897 auth:
1898 description: AlibabaAuth contains a secretRef for credentials.
1899 properties:
1900 rrsa:
1901 description: Authenticate against Alibaba using RRSA.
1902 properties:
1903 oidcProviderArn:
1904 type: string
1905 oidcTokenFilePath:
1906 type: string
1907 roleArn:
1908 type: string
1909 sessionName:
1910 type: string
1911 required:
1912 - oidcProviderArn
1913 - oidcTokenFilePath
1914 - roleArn
1915 - sessionName
1916 type: object
1917 secretRef:
1918 description: AlibabaAuthSecretRef holds secret references
1919 for Alibaba credentials.
1920 properties:
1921 accessKeyIDSecretRef:
1922 description: The AccessKeyID is used for authentication
1923 properties:
1924 key:
1925 description: |-
1926 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1927 defaulted, in others it may be required.
1928 type: string
1929 name:
1930 description: The name of the Secret resource being
1931 referred to.
1932 type: string
1933 namespace:
1934 description: |-
1935 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1936 to the namespace of the referent.
1937 type: string
1938 type: object
1939 accessKeySecretSecretRef:
1940 description: The AccessKeySecret is used for authentication
1941 properties:
1942 key:
1943 description: |-
1944 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1945 defaulted, in others it may be required.
1946 type: string
1947 name:
1948 description: The name of the Secret resource being
1949 referred to.
1950 type: string
1951 namespace:
1952 description: |-
1953 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1954 to the namespace of the referent.
1955 type: string
1956 type: object
1957 required:
1958 - accessKeyIDSecretRef
1959 - accessKeySecretSecretRef
1960 type: object
1961 type: object
1962 regionID:
1963 description: Alibaba Region to be used for the provider
1964 type: string
1965 required:
1966 - auth
1967 - regionID
1968 type: object
1969 aws:
1970 description: AWS configures this store to sync secrets using AWS
1971 Secret Manager provider
1972 properties:
1973 additionalRoles:
1974 description: AdditionalRoles is a chained list of Role ARNs
1975 which the provider will sequentially assume before assuming
1976 the Role
1977 items:
1978 type: string
1979 type: array
1980 auth:
1981 description: |-
1982 Auth defines the information necessary to authenticate against AWS
1983 if not set aws sdk will infer credentials from your environment
1984 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1985 properties:
1986 jwt:
1987 description: Authenticate against AWS using service account
1988 tokens.
1989 properties:
1990 serviceAccountRef:
1991 description: A reference to a ServiceAccount resource.
1992 properties:
1993 audiences:
1994 description: |-
1995 Audience specifies the `aud` claim for the service account token
1996 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1997 then this audiences will be appended to the list
1998 items:
1999 type: string
2000 type: array
2001 name:
2002 description: The name of the ServiceAccount resource
2003 being referred to.
2004 type: string
2005 namespace:
2006 description: |-
2007 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2008 to the namespace of the referent.
2009 type: string
2010 required:
2011 - name
2012 type: object
2013 type: object
2014 secretRef:
2015 description: |-
2016 AWSAuthSecretRef holds secret references for AWS credentials
2017 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
2018 properties:
2019 accessKeyIDSecretRef:
2020 description: The AccessKeyID is used for authentication
2021 properties:
2022 key:
2023 description: |-
2024 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2025 defaulted, in others it may be required.
2026 type: string
2027 name:
2028 description: The name of the Secret resource being
2029 referred to.
2030 type: string
2031 namespace:
2032 description: |-
2033 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2034 to the namespace of the referent.
2035 type: string
2036 type: object
2037 secretAccessKeySecretRef:
2038 description: The SecretAccessKey is used for authentication
2039 properties:
2040 key:
2041 description: |-
2042 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2043 defaulted, in others it may be required.
2044 type: string
2045 name:
2046 description: The name of the Secret resource being
2047 referred to.
2048 type: string
2049 namespace:
2050 description: |-
2051 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2052 to the namespace of the referent.
2053 type: string
2054 type: object
2055 sessionTokenSecretRef:
2056 description: |-
2057 The SessionToken used for authentication
2058 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
2059 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
2060 properties:
2061 key:
2062 description: |-
2063 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2064 defaulted, in others it may be required.
2065 type: string
2066 name:
2067 description: The name of the Secret resource being
2068 referred to.
2069 type: string
2070 namespace:
2071 description: |-
2072 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2073 to the namespace of the referent.
2074 type: string
2075 type: object
2076 type: object
2077 type: object
2078 externalID:
2079 description: AWS External ID set on assumed IAM roles
2080 type: string
2081 region:
2082 description: AWS Region to be used for the provider
2083 type: string
2084 role:
2085 description: Role is a Role ARN which the provider will assume
2086 type: string
2087 secretsManager:
2088 description: SecretsManager defines how the provider behaves
2089 when interacting with AWS SecretsManager
2090 properties:
2091 forceDeleteWithoutRecovery:
2092 description: |-
2093 Specifies whether to delete the secret without any recovery window. You
2094 can't use both this parameter and RecoveryWindowInDays in the same call.
2095 If you don't use either, then by default Secrets Manager uses a 30 day
2096 recovery window.
2097 see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
2098 type: boolean
2099 recoveryWindowInDays:
2100 description: |-
2101 The number of days from 7 to 30 that Secrets Manager waits before
2102 permanently deleting the secret. You can't use both this parameter and
2103 ForceDeleteWithoutRecovery in the same call. If you don't use either,
2104 then by default Secrets Manager uses a 30 day recovery window.
2105 see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
2106 format: int64
2107 type: integer
2108 type: object
2109 service:
2110 description: Service defines which service should be used
2111 to fetch the secrets
2112 enum:
2113 - SecretsManager
2114 - ParameterStore
2115 type: string
2116 sessionTags:
2117 description: AWS STS assume role session tags
2118 items:
2119 properties:
2120 key:
2121 type: string
2122 value:
2123 type: string
2124 required:
2125 - key
2126 - value
2127 type: object
2128 type: array
2129 transitiveTagKeys:
2130 description: AWS STS assume role transitive session tags.
2131 Required when multiple rules are used with the provider
2132 items:
2133 type: string
2134 type: array
2135 required:
2136 - region
2137 - service
2138 type: object
2139 azurekv:
2140 description: AzureKV configures this store to sync secrets using
2141 Azure Key Vault provider
2142 properties:
2143 authSecretRef:
2144 description: Auth configures how the operator authenticates
2145 with Azure. Required for ServicePrincipal auth type. Optional
2146 for WorkloadIdentity.
2147 properties:
2148 clientId:
2149 description: The Azure clientId of the service principle
2150 or managed identity used for authentication.
2151 properties:
2152 key:
2153 description: |-
2154 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2155 defaulted, in others it may be required.
2156 type: string
2157 name:
2158 description: The name of the Secret resource being
2159 referred to.
2160 type: string
2161 namespace:
2162 description: |-
2163 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2164 to the namespace of the referent.
2165 type: string
2166 type: object
2167 clientSecret:
2168 description: The Azure ClientSecret of the service principle
2169 used for authentication.
2170 properties:
2171 key:
2172 description: |-
2173 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2174 defaulted, in others it may be required.
2175 type: string
2176 name:
2177 description: The name of the Secret resource being
2178 referred to.
2179 type: string
2180 namespace:
2181 description: |-
2182 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2183 to the namespace of the referent.
2184 type: string
2185 type: object
2186 tenantId:
2187 description: The Azure tenantId of the managed identity
2188 used for authentication.
2189 properties:
2190 key:
2191 description: |-
2192 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2193 defaulted, in others it may be required.
2194 type: string
2195 name:
2196 description: The name of the Secret resource being
2197 referred to.
2198 type: string
2199 namespace:
2200 description: |-
2201 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2202 to the namespace of the referent.
2203 type: string
2204 type: object
2205 type: object
2206 authType:
2207 default: ServicePrincipal
2208 description: |-
2209 Auth type defines how to authenticate to the keyvault service.
2210 Valid values are:
2211 - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
2212 - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
2213 enum:
2214 - ServicePrincipal
2215 - ManagedIdentity
2216 - WorkloadIdentity
2217 type: string
2218 environmentType:
2219 default: PublicCloud
2220 description: |-
2221 EnvironmentType specifies the Azure cloud environment endpoints to use for
2222 connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
2223 The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
2224 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
2225 enum:
2226 - PublicCloud
2227 - USGovernmentCloud
2228 - ChinaCloud
2229 - GermanCloud
2230 type: string
2231 identityId:
2232 description: If multiple Managed Identity is assigned to the
2233 pod, you can select the one to be used
2234 type: string
2235 serviceAccountRef:
2236 description: |-
2237 ServiceAccountRef specified the service account
2238 that should be used when authenticating with WorkloadIdentity.
2239 properties:
2240 audiences:
2241 description: |-
2242 Audience specifies the `aud` claim for the service account token
2243 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2244 then this audiences will be appended to the list
2245 items:
2246 type: string
2247 type: array
2248 name:
2249 description: The name of the ServiceAccount resource being
2250 referred to.
2251 type: string
2252 namespace:
2253 description: |-
2254 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2255 to the namespace of the referent.
2256 type: string
2257 required:
2258 - name
2259 type: object
2260 tenantId:
2261 description: TenantID configures the Azure Tenant to send
2262 requests to. Required for ServicePrincipal auth type. Optional
2263 for WorkloadIdentity.
2264 type: string
2265 vaultUrl:
2266 description: Vault Url from which the secrets to be fetched
2267 from.
2268 type: string
2269 required:
2270 - vaultUrl
2271 type: object
2272 chef:
2273 description: Chef configures this store to sync secrets with chef
2274 server
2275 properties:
2276 auth:
2277 description: Auth defines the information necessary to authenticate
2278 against chef Server
2279 properties:
2280 secretRef:
2281 description: ChefAuthSecretRef holds secret references
2282 for chef server login credentials.
2283 properties:
2284 privateKeySecretRef:
2285 description: SecretKey is the Signing Key in PEM format,
2286 used for authentication.
2287 properties:
2288 key:
2289 description: |-
2290 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2291 defaulted, in others it may be required.
2292 type: string
2293 name:
2294 description: The name of the Secret resource being
2295 referred to.
2296 type: string
2297 namespace:
2298 description: |-
2299 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2300 to the namespace of the referent.
2301 type: string
2302 type: object
2303 required:
2304 - privateKeySecretRef
2305 type: object
2306 required:
2307 - secretRef
2308 type: object
2309 serverUrl:
2310 description: ServerURL is the chef server URL used to connect
2311 to. If using orgs you should include your org in the url
2312 and terminate the url with a "/"
2313 type: string
2314 username:
2315 description: UserName should be the user ID on the chef server
2316 type: string
2317 required:
2318 - auth
2319 - serverUrl
2320 - username
2321 type: object
2322 conjur:
2323 description: Conjur configures this store to sync secrets using
2324 conjur provider
2325 properties:
2326 auth:
2327 properties:
2328 apikey:
2329 properties:
2330 account:
2331 type: string
2332 apiKeyRef:
2333 description: |-
2334 A reference to a specific 'key' within a Secret resource,
2335 In some instances, `key` is a required field.
2336 properties:
2337 key:
2338 description: |-
2339 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2340 defaulted, in others it may be required.
2341 type: string
2342 name:
2343 description: The name of the Secret resource being
2344 referred to.
2345 type: string
2346 namespace:
2347 description: |-
2348 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2349 to the namespace of the referent.
2350 type: string
2351 type: object
2352 userRef:
2353 description: |-
2354 A reference to a specific 'key' within a Secret resource,
2355 In some instances, `key` is a required field.
2356 properties:
2357 key:
2358 description: |-
2359 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2360 defaulted, in others it may be required.
2361 type: string
2362 name:
2363 description: The name of the Secret resource being
2364 referred to.
2365 type: string
2366 namespace:
2367 description: |-
2368 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2369 to the namespace of the referent.
2370 type: string
2371 type: object
2372 required:
2373 - account
2374 - apiKeyRef
2375 - userRef
2376 type: object
2377 jwt:
2378 properties:
2379 account:
2380 type: string
2381 hostId:
2382 description: |-
2383 Optional HostID for JWT authentication. This may be used depending
2384 on how the Conjur JWT authenticator policy is configured.
2385 type: string
2386 secretRef:
2387 description: |-
2388 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
2389 authenticate with Conjur using the JWT authentication method.
2390 properties:
2391 key:
2392 description: |-
2393 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2394 defaulted, in others it may be required.
2395 type: string
2396 name:
2397 description: The name of the Secret resource being
2398 referred to.
2399 type: string
2400 namespace:
2401 description: |-
2402 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2403 to the namespace of the referent.
2404 type: string
2405 type: object
2406 serviceAccountRef:
2407 description: |-
2408 Optional ServiceAccountRef specifies the Kubernetes service account for which to request
2409 a token for with the `TokenRequest` API.
2410 properties:
2411 audiences:
2412 description: |-
2413 Audience specifies the `aud` claim for the service account token
2414 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2415 then this audiences will be appended to the list
2416 items:
2417 type: string
2418 type: array
2419 name:
2420 description: The name of the ServiceAccount resource
2421 being referred to.
2422 type: string
2423 namespace:
2424 description: |-
2425 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2426 to the namespace of the referent.
2427 type: string
2428 required:
2429 - name
2430 type: object
2431 serviceID:
2432 description: The conjur authn jwt webservice id
2433 type: string
2434 required:
2435 - account
2436 - serviceID
2437 type: object
2438 type: object
2439 caBundle:
2440 type: string
2441 caProvider:
2442 description: |-
2443 Used to provide custom certificate authority (CA) certificates
2444 for a secret store. The CAProvider points to a Secret or ConfigMap resource
2445 that contains a PEM-encoded certificate.
2446 properties:
2447 key:
2448 description: The key where the CA certificate can be found
2449 in the Secret or ConfigMap.
2450 type: string
2451 name:
2452 description: The name of the object located at the provider
2453 type.
2454 type: string
2455 namespace:
2456 description: |-
2457 The namespace the Provider type is in.
2458 Can only be defined when used in a ClusterSecretStore.
2459 type: string
2460 type:
2461 description: The type of provider to use such as "Secret",
2462 or "ConfigMap".
2463 enum:
2464 - Secret
2465 - ConfigMap
2466 type: string
2467 required:
2468 - name
2469 - type
2470 type: object
2471 url:
2472 type: string
2473 required:
2474 - auth
2475 - url
2476 type: object
2477 delinea:
2478 description: |-
2479 Delinea DevOps Secrets Vault
2480 https://docs.delinea.com/online-help/products/devops-secrets-vault/current
2481 properties:
2482 clientId:
2483 description: ClientID is the non-secret part of the credential.
2484 properties:
2485 secretRef:
2486 description: SecretRef references a key in a secret that
2487 will be used as value.
2488 properties:
2489 key:
2490 description: |-
2491 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2492 defaulted, in others it may be required.
2493 type: string
2494 name:
2495 description: The name of the Secret resource being
2496 referred to.
2497 type: string
2498 namespace:
2499 description: |-
2500 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2501 to the namespace of the referent.
2502 type: string
2503 type: object
2504 value:
2505 description: Value can be specified directly to set a
2506 value without using a secret.
2507 type: string
2508 type: object
2509 clientSecret:
2510 description: ClientSecret is the secret part of the credential.
2511 properties:
2512 secretRef:
2513 description: SecretRef references a key in a secret that
2514 will be used as value.
2515 properties:
2516 key:
2517 description: |-
2518 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2519 defaulted, in others it may be required.
2520 type: string
2521 name:
2522 description: The name of the Secret resource being
2523 referred to.
2524 type: string
2525 namespace:
2526 description: |-
2527 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2528 to the namespace of the referent.
2529 type: string
2530 type: object
2531 value:
2532 description: Value can be specified directly to set a
2533 value without using a secret.
2534 type: string
2535 type: object
2536 tenant:
2537 description: Tenant is the chosen hostname / site name.
2538 type: string
2539 tld:
2540 description: |-
2541 TLD is based on the server location that was chosen during provisioning.
2542 If unset, defaults to "com".
2543 type: string
2544 urlTemplate:
2545 description: |-
2546 URLTemplate
2547 If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
2548 type: string
2549 required:
2550 - clientId
2551 - clientSecret
2552 - tenant
2553 type: object
2554 doppler:
2555 description: Doppler configures this store to sync secrets using
2556 the Doppler provider
2557 properties:
2558 auth:
2559 description: Auth configures how the Operator authenticates
2560 with the Doppler API
2561 properties:
2562 secretRef:
2563 properties:
2564 dopplerToken:
2565 description: |-
2566 The DopplerToken is used for authentication.
2567 See https://docs.doppler.com/reference/api#authentication for auth token types.
2568 The Key attribute defaults to dopplerToken if not specified.
2569 properties:
2570 key:
2571 description: |-
2572 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2573 defaulted, in others it may be required.
2574 type: string
2575 name:
2576 description: The name of the Secret resource being
2577 referred to.
2578 type: string
2579 namespace:
2580 description: |-
2581 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2582 to the namespace of the referent.
2583 type: string
2584 type: object
2585 required:
2586 - dopplerToken
2587 type: object
2588 required:
2589 - secretRef
2590 type: object
2591 config:
2592 description: Doppler config (required if not using a Service
2593 Token)
2594 type: string
2595 format:
2596 description: Format enables the downloading of secrets as
2597 a file (string)
2598 enum:
2599 - json
2600 - dotnet-json
2601 - env
2602 - yaml
2603 - docker
2604 type: string
2605 nameTransformer:
2606 description: Environment variable compatible name transforms
2607 that change secret names to a different format
2608 enum:
2609 - upper-camel
2610 - camel
2611 - lower-snake
2612 - tf-var
2613 - dotnet-env
2614 - lower-kebab
2615 type: string
2616 project:
2617 description: Doppler project (required if not using a Service
2618 Token)
2619 type: string
2620 required:
2621 - auth
2622 type: object
2623 fake:
2624 description: Fake configures a store with static key/value pairs
2625 properties:
2626 data:
2627 items:
2628 properties:
2629 key:
2630 type: string
2631 value:
2632 type: string
2633 valueMap:
2634 additionalProperties:
2635 type: string
2636 description: 'Deprecated: ValueMap is deprecated and
2637 is intended to be removed in the future, use the `value`
2638 field instead.'
2639 type: object
2640 version:
2641 type: string
2642 required:
2643 - key
2644 type: object
2645 type: array
2646 required:
2647 - data
2648 type: object
2649 fortanix:
2650 description: Fortanix configures this store to sync secrets using
2651 the Fortanix provider
2652 properties:
2653 apiKey:
2654 description: APIKey is the API token to access SDKMS Applications.
2655 properties:
2656 secretRef:
2657 description: SecretRef is a reference to a secret containing
2658 the SDKMS API Key.
2659 properties:
2660 key:
2661 description: |-
2662 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2663 defaulted, in others it may be required.
2664 type: string
2665 name:
2666 description: The name of the Secret resource being
2667 referred to.
2668 type: string
2669 namespace:
2670 description: |-
2671 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2672 to the namespace of the referent.
2673 type: string
2674 type: object
2675 type: object
2676 apiUrl:
2677 description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
2678 type: string
2679 type: object
2680 gcpsm:
2681 description: GCPSM configures this store to sync secrets using
2682 Google Cloud Platform Secret Manager provider
2683 properties:
2684 auth:
2685 description: Auth defines the information necessary to authenticate
2686 against GCP
2687 properties:
2688 secretRef:
2689 properties:
2690 secretAccessKeySecretRef:
2691 description: The SecretAccessKey is used for authentication
2692 properties:
2693 key:
2694 description: |-
2695 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2696 defaulted, in others it may be required.
2697 type: string
2698 name:
2699 description: The name of the Secret resource being
2700 referred to.
2701 type: string
2702 namespace:
2703 description: |-
2704 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2705 to the namespace of the referent.
2706 type: string
2707 type: object
2708 type: object
2709 workloadIdentity:
2710 properties:
2711 clusterLocation:
2712 type: string
2713 clusterName:
2714 type: string
2715 clusterProjectID:
2716 type: string
2717 serviceAccountRef:
2718 description: A reference to a ServiceAccount resource.
2719 properties:
2720 audiences:
2721 description: |-
2722 Audience specifies the `aud` claim for the service account token
2723 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2724 then this audiences will be appended to the list
2725 items:
2726 type: string
2727 type: array
2728 name:
2729 description: The name of the ServiceAccount resource
2730 being referred to.
2731 type: string
2732 namespace:
2733 description: |-
2734 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2735 to the namespace of the referent.
2736 type: string
2737 required:
2738 - name
2739 type: object
2740 required:
2741 - clusterLocation
2742 - clusterName
2743 - serviceAccountRef
2744 type: object
2745 type: object
2746 projectID:
2747 description: ProjectID project where secret is located
2748 type: string
2749 type: object
2750 gitlab:
2751 description: GitLab configures this store to sync secrets using
2752 GitLab Variables provider
2753 properties:
2754 auth:
2755 description: Auth configures how secret-manager authenticates
2756 with a GitLab instance.
2757 properties:
2758 SecretRef:
2759 properties:
2760 accessToken:
2761 description: AccessToken is used for authentication.
2762 properties:
2763 key:
2764 description: |-
2765 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2766 defaulted, in others it may be required.
2767 type: string
2768 name:
2769 description: The name of the Secret resource being
2770 referred to.
2771 type: string
2772 namespace:
2773 description: |-
2774 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2775 to the namespace of the referent.
2776 type: string
2777 type: object
2778 type: object
2779 required:
2780 - SecretRef
2781 type: object
2782 environment:
2783 description: Environment environment_scope of gitlab CI/CD
2784 variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
2785 on how to create environments)
2786 type: string
2787 groupIDs:
2788 description: GroupIDs specify, which gitlab groups to pull
2789 secrets from. Group secrets are read from left to right
2790 followed by the project variables.
2791 items:
2792 type: string
2793 type: array
2794 inheritFromGroups:
2795 description: InheritFromGroups specifies whether parent groups
2796 should be discovered and checked for secrets.
2797 type: boolean
2798 projectID:
2799 description: ProjectID specifies a project where secrets are
2800 located.
2801 type: string
2802 url:
2803 description: URL configures the GitLab instance URL. Defaults
2804 to https://gitlab.com/.
2805 type: string
2806 required:
2807 - auth
2808 type: object
2809 ibm:
2810 description: IBM configures this store to sync secrets using IBM
2811 Cloud provider
2812 properties:
2813 auth:
2814 description: Auth configures how secret-manager authenticates
2815 with the IBM secrets manager.
2816 maxProperties: 1
2817 minProperties: 1
2818 properties:
2819 containerAuth:
2820 description: IBM Container-based auth with IAM Trusted
2821 Profile.
2822 properties:
2823 iamEndpoint:
2824 type: string
2825 profile:
2826 description: the IBM Trusted Profile
2827 type: string
2828 tokenLocation:
2829 description: Location the token is mounted on the
2830 pod
2831 type: string
2832 required:
2833 - profile
2834 type: object
2835 secretRef:
2836 properties:
2837 secretApiKeySecretRef:
2838 description: The SecretAccessKey is used for authentication
2839 properties:
2840 key:
2841 description: |-
2842 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2843 defaulted, in others it may be required.
2844 type: string
2845 name:
2846 description: The name of the Secret resource being
2847 referred to.
2848 type: string
2849 namespace:
2850 description: |-
2851 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2852 to the namespace of the referent.
2853 type: string
2854 type: object
2855 type: object
2856 type: object
2857 serviceUrl:
2858 description: ServiceURL is the Endpoint URL that is specific
2859 to the Secrets Manager service instance
2860 type: string
2861 required:
2862 - auth
2863 type: object
2864 keepersecurity:
2865 description: KeeperSecurity configures this store to sync secrets
2866 using the KeeperSecurity provider
2867 properties:
2868 authRef:
2869 description: |-
2870 A reference to a specific 'key' within a Secret resource,
2871 In some instances, `key` is a required field.
2872 properties:
2873 key:
2874 description: |-
2875 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2876 defaulted, in others it may be required.
2877 type: string
2878 name:
2879 description: The name of the Secret resource being referred
2880 to.
2881 type: string
2882 namespace:
2883 description: |-
2884 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2885 to the namespace of the referent.
2886 type: string
2887 type: object
2888 folderID:
2889 type: string
2890 required:
2891 - authRef
2892 - folderID
2893 type: object
2894 kubernetes:
2895 description: Kubernetes configures this store to sync secrets
2896 using a Kubernetes cluster provider
2897 properties:
2898 auth:
2899 description: Auth configures how secret-manager authenticates
2900 with a Kubernetes instance.
2901 maxProperties: 1
2902 minProperties: 1
2903 properties:
2904 cert:
2905 description: has both clientCert and clientKey as secretKeySelector
2906 properties:
2907 clientCert:
2908 description: |-
2909 A reference to a specific 'key' within a Secret resource,
2910 In some instances, `key` is a required field.
2911 properties:
2912 key:
2913 description: |-
2914 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2915 defaulted, in others it may be required.
2916 type: string
2917 name:
2918 description: The name of the Secret resource being
2919 referred to.
2920 type: string
2921 namespace:
2922 description: |-
2923 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2924 to the namespace of the referent.
2925 type: string
2926 type: object
2927 clientKey:
2928 description: |-
2929 A reference to a specific 'key' within a Secret resource,
2930 In some instances, `key` is a required field.
2931 properties:
2932 key:
2933 description: |-
2934 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2935 defaulted, in others it may be required.
2936 type: string
2937 name:
2938 description: The name of the Secret resource being
2939 referred to.
2940 type: string
2941 namespace:
2942 description: |-
2943 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2944 to the namespace of the referent.
2945 type: string
2946 type: object
2947 type: object
2948 serviceAccount:
2949 description: points to a service account that should be
2950 used for authentication
2951 properties:
2952 audiences:
2953 description: |-
2954 Audience specifies the `aud` claim for the service account token
2955 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2956 then this audiences will be appended to the list
2957 items:
2958 type: string
2959 type: array
2960 name:
2961 description: The name of the ServiceAccount resource
2962 being referred to.
2963 type: string
2964 namespace:
2965 description: |-
2966 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2967 to the namespace of the referent.
2968 type: string
2969 required:
2970 - name
2971 type: object
2972 token:
2973 description: use static token to authenticate with
2974 properties:
2975 bearerToken:
2976 description: |-
2977 A reference to a specific 'key' within a Secret resource,
2978 In some instances, `key` is a required field.
2979 properties:
2980 key:
2981 description: |-
2982 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2983 defaulted, in others it may be required.
2984 type: string
2985 name:
2986 description: The name of the Secret resource being
2987 referred to.
2988 type: string
2989 namespace:
2990 description: |-
2991 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2992 to the namespace of the referent.
2993 type: string
2994 type: object
2995 type: object
2996 type: object
2997 remoteNamespace:
2998 default: default
2999 description: Remote namespace to fetch the secrets from
3000 type: string
3001 server:
3002 description: configures the Kubernetes server Address.
3003 properties:
3004 caBundle:
3005 description: CABundle is a base64-encoded CA certificate
3006 format: byte
3007 type: string
3008 caProvider:
3009 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
3010 properties:
3011 key:
3012 description: The key where the CA certificate can
3013 be found in the Secret or ConfigMap.
3014 type: string
3015 name:
3016 description: The name of the object located at the
3017 provider type.
3018 type: string
3019 namespace:
3020 description: |-
3021 The namespace the Provider type is in.
3022 Can only be defined when used in a ClusterSecretStore.
3023 type: string
3024 type:
3025 description: The type of provider to use such as "Secret",
3026 or "ConfigMap".
3027 enum:
3028 - Secret
3029 - ConfigMap
3030 type: string
3031 required:
3032 - name
3033 - type
3034 type: object
3035 url:
3036 default: kubernetes.default
3037 description: configures the Kubernetes server Address.
3038 type: string
3039 type: object
3040 required:
3041 - auth
3042 type: object
3043 onboardbase:
3044 description: Onboardbase configures this store to sync secrets
3045 using the Onboardbase provider
3046 properties:
3047 apiHost:
3048 default: https://public.onboardbase.com/api/v1/
3049 description: APIHost use this to configure the host url for
3050 the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
3051 type: string
3052 auth:
3053 description: Auth configures how the Operator authenticates
3054 with the Onboardbase API
3055 properties:
3056 apiKeyRef:
3057 description: |-
3058 OnboardbaseAPIKey is the APIKey generated by an admin account.
3059 It is used to recognize and authorize access to a project and environment within onboardbase
3060 properties:
3061 key:
3062 description: |-
3063 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3064 defaulted, in others it may be required.
3065 type: string
3066 name:
3067 description: The name of the Secret resource being
3068 referred to.
3069 type: string
3070 namespace:
3071 description: |-
3072 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3073 to the namespace of the referent.
3074 type: string
3075 type: object
3076 passcodeRef:
3077 description: OnboardbasePasscode is the passcode attached
3078 to the API Key
3079 properties:
3080 key:
3081 description: |-
3082 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3083 defaulted, in others it may be required.
3084 type: string
3085 name:
3086 description: The name of the Secret resource being
3087 referred to.
3088 type: string
3089 namespace:
3090 description: |-
3091 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3092 to the namespace of the referent.
3093 type: string
3094 type: object
3095 required:
3096 - apiKeyRef
3097 - passcodeRef
3098 type: object
3099 environment:
3100 default: development
3101 description: Environment is the name of an environmnent within
3102 a project to pull the secrets from
3103 type: string
3104 project:
3105 default: development
3106 description: Project is an onboardbase project that the secrets
3107 should be pulled from
3108 type: string
3109 required:
3110 - apiHost
3111 - auth
3112 - environment
3113 - project
3114 type: object
3115 onepassword:
3116 description: OnePassword configures this store to sync secrets
3117 using the 1Password Cloud provider
3118 properties:
3119 auth:
3120 description: Auth defines the information necessary to authenticate
3121 against OnePassword Connect Server
3122 properties:
3123 secretRef:
3124 description: OnePasswordAuthSecretRef holds secret references
3125 for 1Password credentials.
3126 properties:
3127 connectTokenSecretRef:
3128 description: The ConnectToken is used for authentication
3129 to a 1Password Connect Server.
3130 properties:
3131 key:
3132 description: |-
3133 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3134 defaulted, in others it may be required.
3135 type: string
3136 name:
3137 description: The name of the Secret resource being
3138 referred to.
3139 type: string
3140 namespace:
3141 description: |-
3142 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3143 to the namespace of the referent.
3144 type: string
3145 type: object
3146 required:
3147 - connectTokenSecretRef
3148 type: object
3149 required:
3150 - secretRef
3151 type: object
3152 connectHost:
3153 description: ConnectHost defines the OnePassword Connect Server
3154 to connect to
3155 type: string
3156 vaults:
3157 additionalProperties:
3158 type: integer
3159 description: Vaults defines which OnePassword vaults to search
3160 in which order
3161 type: object
3162 required:
3163 - auth
3164 - connectHost
3165 - vaults
3166 type: object
3167 oracle:
3168 description: Oracle configures this store to sync secrets using
3169 Oracle Vault provider
3170 properties:
3171 auth:
3172 description: |-
3173 Auth configures how secret-manager authenticates with the Oracle Vault.
3174 If empty, use the instance principal, otherwise the user credentials specified in Auth.
3175 properties:
3176 secretRef:
3177 description: SecretRef to pass through sensitive information.
3178 properties:
3179 fingerprint:
3180 description: Fingerprint is the fingerprint of the
3181 API private key.
3182 properties:
3183 key:
3184 description: |-
3185 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3186 defaulted, in others it may be required.
3187 type: string
3188 name:
3189 description: The name of the Secret resource being
3190 referred to.
3191 type: string
3192 namespace:
3193 description: |-
3194 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3195 to the namespace of the referent.
3196 type: string
3197 type: object
3198 privatekey:
3199 description: PrivateKey is the user's API Signing
3200 Key in PEM format, used for authentication.
3201 properties:
3202 key:
3203 description: |-
3204 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3205 defaulted, in others it may be required.
3206 type: string
3207 name:
3208 description: The name of the Secret resource being
3209 referred to.
3210 type: string
3211 namespace:
3212 description: |-
3213 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3214 to the namespace of the referent.
3215 type: string
3216 type: object
3217 required:
3218 - fingerprint
3219 - privatekey
3220 type: object
3221 tenancy:
3222 description: Tenancy is the tenancy OCID where user is
3223 located.
3224 type: string
3225 user:
3226 description: User is an access OCID specific to the account.
3227 type: string
3228 required:
3229 - secretRef
3230 - tenancy
3231 - user
3232 type: object
3233 compartment:
3234 description: |-
3235 Compartment is the vault compartment OCID.
3236 Required for PushSecret
3237 type: string
3238 encryptionKey:
3239 description: |-
3240 EncryptionKey is the OCID of the encryption key within the vault.
3241 Required for PushSecret
3242 type: string
3243 principalType:
3244 description: |-
3245 The type of principal to use for authentication. If left blank, the Auth struct will
3246 determine the principal type. This optional field must be specified if using
3247 workload identity.
3248 enum:
3249 - ""
3250 - UserPrincipal
3251 - InstancePrincipal
3252 - Workload
3253 type: string
3254 region:
3255 description: Region is the region where vault is located.
3256 type: string
3257 serviceAccountRef:
3258 description: |-
3259 ServiceAccountRef specified the service account
3260 that should be used when authenticating with WorkloadIdentity.
3261 properties:
3262 audiences:
3263 description: |-
3264 Audience specifies the `aud` claim for the service account token
3265 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3266 then this audiences will be appended to the list
3267 items:
3268 type: string
3269 type: array
3270 name:
3271 description: The name of the ServiceAccount resource being
3272 referred to.
3273 type: string
3274 namespace:
3275 description: |-
3276 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3277 to the namespace of the referent.
3278 type: string
3279 required:
3280 - name
3281 type: object
3282 vault:
3283 description: Vault is the vault's OCID of the specific vault
3284 where secret is located.
3285 type: string
3286 required:
3287 - region
3288 - vault
3289 type: object
3290 passbolt:
3291 properties:
3292 auth:
3293 description: Auth defines the information necessary to authenticate
3294 against Passbolt Server
3295 properties:
3296 passwordSecretRef:
3297 description: |-
3298 A reference to a specific 'key' within a Secret resource,
3299 In some instances, `key` is a required field.
3300 properties:
3301 key:
3302 description: |-
3303 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3304 defaulted, in others it may be required.
3305 type: string
3306 name:
3307 description: The name of the Secret resource being
3308 referred to.
3309 type: string
3310 namespace:
3311 description: |-
3312 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3313 to the namespace of the referent.
3314 type: string
3315 type: object
3316 privateKeySecretRef:
3317 description: |-
3318 A reference to a specific 'key' within a Secret resource,
3319 In some instances, `key` is a required field.
3320 properties:
3321 key:
3322 description: |-
3323 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3324 defaulted, in others it may be required.
3325 type: string
3326 name:
3327 description: The name of the Secret resource being
3328 referred to.
3329 type: string
3330 namespace:
3331 description: |-
3332 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3333 to the namespace of the referent.
3334 type: string
3335 type: object
3336 required:
3337 - passwordSecretRef
3338 - privateKeySecretRef
3339 type: object
3340 host:
3341 description: Host defines the Passbolt Server to connect to
3342 type: string
3343 required:
3344 - auth
3345 - host
3346 type: object
3347 passworddepot:
3348 description: Configures a store to sync secrets with a Password
3349 Depot instance.
3350 properties:
3351 auth:
3352 description: Auth configures how secret-manager authenticates
3353 with a Password Depot instance.
3354 properties:
3355 secretRef:
3356 properties:
3357 credentials:
3358 description: Username / Password is used for authentication.
3359 properties:
3360 key:
3361 description: |-
3362 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3363 defaulted, in others it may be required.
3364 type: string
3365 name:
3366 description: The name of the Secret resource being
3367 referred to.
3368 type: string
3369 namespace:
3370 description: |-
3371 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3372 to the namespace of the referent.
3373 type: string
3374 type: object
3375 type: object
3376 required:
3377 - secretRef
3378 type: object
3379 database:
3380 description: Database to use as source
3381 type: string
3382 host:
3383 description: URL configures the Password Depot instance URL.
3384 type: string
3385 required:
3386 - auth
3387 - database
3388 - host
3389 type: object
3390 pulumi:
3391 description: Pulumi configures this store to sync secrets using
3392 the Pulumi provider
3393 properties:
3394 accessToken:
3395 description: AccessToken is the access tokens to sign in to
3396 the Pulumi Cloud Console.
3397 properties:
3398 secretRef:
3399 description: SecretRef is a reference to a secret containing
3400 the Pulumi API token.
3401 properties:
3402 key:
3403 description: |-
3404 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3405 defaulted, in others it may be required.
3406 type: string
3407 name:
3408 description: The name of the Secret resource being
3409 referred to.
3410 type: string
3411 namespace:
3412 description: |-
3413 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3414 to the namespace of the referent.
3415 type: string
3416 type: object
3417 type: object
3418 apiUrl:
3419 default: https://api.pulumi.com
3420 description: APIURL is the URL of the Pulumi API.
3421 type: string
3422 environment:
3423 description: |-
3424 Environment are YAML documents composed of static key-value pairs, programmatic expressions,
3425 dynamically retrieved values from supported providers including all major clouds,
3426 and other Pulumi ESC environments.
3427 To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
3428 type: string
3429 organization:
3430 description: |-
3431 Organization are a space to collaborate on shared projects and stacks.
3432 To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
3433 type: string
3434 required:
3435 - accessToken
3436 - environment
3437 - organization
3438 type: object
3439 scaleway:
3440 description: Scaleway
3441 properties:
3442 accessKey:
3443 description: AccessKey is the non-secret part of the api key.
3444 properties:
3445 secretRef:
3446 description: SecretRef references a key in a secret that
3447 will be used as value.
3448 properties:
3449 key:
3450 description: |-
3451 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3452 defaulted, in others it may be required.
3453 type: string
3454 name:
3455 description: The name of the Secret resource being
3456 referred to.
3457 type: string
3458 namespace:
3459 description: |-
3460 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3461 to the namespace of the referent.
3462 type: string
3463 type: object
3464 value:
3465 description: Value can be specified directly to set a
3466 value without using a secret.
3467 type: string
3468 type: object
3469 apiUrl:
3470 description: APIURL is the url of the api to use. Defaults
3471 to https://api.scaleway.com
3472 type: string
3473 projectId:
3474 description: 'ProjectID is the id of your project, which you
3475 can find in the console: https://console.scaleway.com/project/settings'
3476 type: string
3477 region:
3478 description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
3479 type: string
3480 secretKey:
3481 description: SecretKey is the non-secret part of the api key.
3482 properties:
3483 secretRef:
3484 description: SecretRef references a key in a secret that
3485 will be used as value.
3486 properties:
3487 key:
3488 description: |-
3489 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3490 defaulted, in others it may be required.
3491 type: string
3492 name:
3493 description: The name of the Secret resource being
3494 referred to.
3495 type: string
3496 namespace:
3497 description: |-
3498 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3499 to the namespace of the referent.
3500 type: string
3501 type: object
3502 value:
3503 description: Value can be specified directly to set a
3504 value without using a secret.
3505 type: string
3506 type: object
3507 required:
3508 - accessKey
3509 - projectId
3510 - region
3511 - secretKey
3512 type: object
3513 senhasegura:
3514 description: Senhasegura configures this store to sync secrets
3515 using senhasegura provider
3516 properties:
3517 auth:
3518 description: Auth defines parameters to authenticate in senhasegura
3519 properties:
3520 clientId:
3521 type: string
3522 clientSecretSecretRef:
3523 description: |-
3524 A reference to a specific 'key' within a Secret resource,
3525 In some instances, `key` is a required field.
3526 properties:
3527 key:
3528 description: |-
3529 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3530 defaulted, in others it may be required.
3531 type: string
3532 name:
3533 description: The name of the Secret resource being
3534 referred to.
3535 type: string
3536 namespace:
3537 description: |-
3538 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3539 to the namespace of the referent.
3540 type: string
3541 type: object
3542 required:
3543 - clientId
3544 - clientSecretSecretRef
3545 type: object
3546 ignoreSslCertificate:
3547 default: false
3548 description: IgnoreSslCertificate defines if SSL certificate
3549 must be ignored
3550 type: boolean
3551 module:
3552 description: Module defines which senhasegura module should
3553 be used to get secrets
3554 type: string
3555 url:
3556 description: URL of senhasegura
3557 type: string
3558 required:
3559 - auth
3560 - module
3561 - url
3562 type: object
3563 vault:
3564 description: Vault configures this store to sync secrets using
3565 Hashi provider
3566 properties:
3567 auth:
3568 description: Auth configures how secret-manager authenticates
3569 with the Vault server.
3570 properties:
3571 appRole:
3572 description: |-
3573 AppRole authenticates with Vault using the App Role auth mechanism,
3574 with the role and secret stored in a Kubernetes Secret resource.
3575 properties:
3576 path:
3577 default: approle
3578 description: |-
3579 Path where the App Role authentication backend is mounted
3580 in Vault, e.g: "approle"
3581 type: string
3582 roleId:
3583 description: |-
3584 RoleID configured in the App Role authentication backend when setting
3585 up the authentication backend in Vault.
3586 type: string
3587 roleRef:
3588 description: |-
3589 Reference to a key in a Secret that contains the App Role ID used
3590 to authenticate with Vault.
3591 The `key` field must be specified and denotes which entry within the Secret
3592 resource is used as the app role id.
3593 properties:
3594 key:
3595 description: |-
3596 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3597 defaulted, in others it may be required.
3598 type: string
3599 name:
3600 description: The name of the Secret resource being
3601 referred to.
3602 type: string
3603 namespace:
3604 description: |-
3605 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3606 to the namespace of the referent.
3607 type: string
3608 type: object
3609 secretRef:
3610 description: |-
3611 Reference to a key in a Secret that contains the App Role secret used
3612 to authenticate with Vault.
3613 The `key` field must be specified and denotes which entry within the Secret
3614 resource is used as the app role secret.
3615 properties:
3616 key:
3617 description: |-
3618 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3619 defaulted, in others it may be required.
3620 type: string
3621 name:
3622 description: The name of the Secret resource being
3623 referred to.
3624 type: string
3625 namespace:
3626 description: |-
3627 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3628 to the namespace of the referent.
3629 type: string
3630 type: object
3631 required:
3632 - path
3633 - secretRef
3634 type: object
3635 cert:
3636 description: |-
3637 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
3638 Cert authentication method
3639 properties:
3640 clientCert:
3641 description: |-
3642 ClientCert is a certificate to authenticate using the Cert Vault
3643 authentication method
3644 properties:
3645 key:
3646 description: |-
3647 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3648 defaulted, in others it may be required.
3649 type: string
3650 name:
3651 description: The name of the Secret resource being
3652 referred to.
3653 type: string
3654 namespace:
3655 description: |-
3656 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3657 to the namespace of the referent.
3658 type: string
3659 type: object
3660 secretRef:
3661 description: |-
3662 SecretRef to a key in a Secret resource containing client private key to
3663 authenticate with Vault using the Cert authentication method
3664 properties:
3665 key:
3666 description: |-
3667 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3668 defaulted, in others it may be required.
3669 type: string
3670 name:
3671 description: The name of the Secret resource being
3672 referred to.
3673 type: string
3674 namespace:
3675 description: |-
3676 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3677 to the namespace of the referent.
3678 type: string
3679 type: object
3680 type: object
3681 iam:
3682 description: |-
3683 Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
3684 AWS IAM authentication method
3685 properties:
3686 externalID:
3687 description: AWS External ID set on assumed IAM roles
3688 type: string
3689 jwt:
3690 description: Specify a service account with IRSA enabled
3691 properties:
3692 serviceAccountRef:
3693 description: A reference to a ServiceAccount resource.
3694 properties:
3695 audiences:
3696 description: |-
3697 Audience specifies the `aud` claim for the service account token
3698 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3699 then this audiences will be appended to the list
3700 items:
3701 type: string
3702 type: array
3703 name:
3704 description: The name of the ServiceAccount
3705 resource being referred to.
3706 type: string
3707 namespace:
3708 description: |-
3709 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3710 to the namespace of the referent.
3711 type: string
3712 required:
3713 - name
3714 type: object
3715 type: object
3716 path:
3717 description: 'Path where the AWS auth method is enabled
3718 in Vault, e.g: "aws"'
3719 type: string
3720 region:
3721 description: AWS region
3722 type: string
3723 role:
3724 description: This is the AWS role to be assumed before
3725 talking to vault
3726 type: string
3727 secretRef:
3728 description: Specify credentials in a Secret object
3729 properties:
3730 accessKeyIDSecretRef:
3731 description: The AccessKeyID is used for authentication
3732 properties:
3733 key:
3734 description: |-
3735 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3736 defaulted, in others it may be required.
3737 type: string
3738 name:
3739 description: The name of the Secret resource
3740 being referred to.
3741 type: string
3742 namespace:
3743 description: |-
3744 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3745 to the namespace of the referent.
3746 type: string
3747 type: object
3748 secretAccessKeySecretRef:
3749 description: The SecretAccessKey is used for authentication
3750 properties:
3751 key:
3752 description: |-
3753 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3754 defaulted, in others it may be required.
3755 type: string
3756 name:
3757 description: The name of the Secret resource
3758 being referred to.
3759 type: string
3760 namespace:
3761 description: |-
3762 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3763 to the namespace of the referent.
3764 type: string
3765 type: object
3766 sessionTokenSecretRef:
3767 description: |-
3768 The SessionToken used for authentication
3769 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
3770 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
3771 properties:
3772 key:
3773 description: |-
3774 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3775 defaulted, in others it may be required.
3776 type: string
3777 name:
3778 description: The name of the Secret resource
3779 being referred to.
3780 type: string
3781 namespace:
3782 description: |-
3783 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3784 to the namespace of the referent.
3785 type: string
3786 type: object
3787 type: object
3788 vaultAwsIamServerID:
3789 description: 'X-Vault-AWS-IAM-Server-ID is an additional
3790 header used by Vault IAM auth method to mitigate
3791 against different types of replay attacks. More
3792 details here: https://developer.hashicorp.com/vault/docs/auth/aws'
3793 type: string
3794 vaultRole:
3795 description: Vault Role. In vault, a role describes
3796 an identity with a set of permissions, groups, or
3797 policies you want to attach a user of the secrets
3798 engine
3799 type: string
3800 required:
3801 - vaultRole
3802 type: object
3803 jwt:
3804 description: |-
3805 Jwt authenticates with Vault by passing role and JWT token using the
3806 JWT/OIDC authentication method
3807 properties:
3808 kubernetesServiceAccountToken:
3809 description: |-
3810 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
3811 a token for with the `TokenRequest` API.
3812 properties:
3813 audiences:
3814 description: |-
3815 Optional audiences field that will be used to request a temporary Kubernetes service
3816 account token for the service account referenced by `serviceAccountRef`.
3817 Defaults to a single audience `vault` it not specified.
3818 Deprecated: use serviceAccountRef.Audiences instead
3819 items:
3820 type: string
3821 type: array
3822 expirationSeconds:
3823 description: |-
3824 Optional expiration time in seconds that will be used to request a temporary
3825 Kubernetes service account token for the service account referenced by
3826 `serviceAccountRef`.
3827 Deprecated: this will be removed in the future.
3828 Defaults to 10 minutes.
3829 format: int64
3830 type: integer
3831 serviceAccountRef:
3832 description: Service account field containing
3833 the name of a kubernetes ServiceAccount.
3834 properties:
3835 audiences:
3836 description: |-
3837 Audience specifies the `aud` claim for the service account token
3838 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3839 then this audiences will be appended to the list
3840 items:
3841 type: string
3842 type: array
3843 name:
3844 description: The name of the ServiceAccount
3845 resource being referred to.
3846 type: string
3847 namespace:
3848 description: |-
3849 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3850 to the namespace of the referent.
3851 type: string
3852 required:
3853 - name
3854 type: object
3855 required:
3856 - serviceAccountRef
3857 type: object
3858 path:
3859 default: jwt
3860 description: |-
3861 Path where the JWT authentication backend is mounted
3862 in Vault, e.g: "jwt"
3863 type: string
3864 role:
3865 description: |-
3866 Role is a JWT role to authenticate using the JWT/OIDC Vault
3867 authentication method
3868 type: string
3869 secretRef:
3870 description: |-
3871 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
3872 authenticate with Vault using the JWT/OIDC authentication method.
3873 properties:
3874 key:
3875 description: |-
3876 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3877 defaulted, in others it may be required.
3878 type: string
3879 name:
3880 description: The name of the Secret resource being
3881 referred to.
3882 type: string
3883 namespace:
3884 description: |-
3885 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3886 to the namespace of the referent.
3887 type: string
3888 type: object
3889 required:
3890 - path
3891 type: object
3892 kubernetes:
3893 description: |-
3894 Kubernetes authenticates with Vault by passing the ServiceAccount
3895 token stored in the named Secret resource to the Vault server.
3896 properties:
3897 mountPath:
3898 default: kubernetes
3899 description: |-
3900 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
3901 "kubernetes"
3902 type: string
3903 role:
3904 description: |-
3905 A required field containing the Vault Role to assume. A Role binds a
3906 Kubernetes ServiceAccount with a set of Vault policies.
3907 type: string
3908 secretRef:
3909 description: |-
3910 Optional secret field containing a Kubernetes ServiceAccount JWT used
3911 for authenticating with Vault. If a name is specified without a key,
3912 `token` is the default. If one is not specified, the one bound to
3913 the controller will be used.
3914 properties:
3915 key:
3916 description: |-
3917 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3918 defaulted, in others it may be required.
3919 type: string
3920 name:
3921 description: The name of the Secret resource being
3922 referred to.
3923 type: string
3924 namespace:
3925 description: |-
3926 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3927 to the namespace of the referent.
3928 type: string
3929 type: object
3930 serviceAccountRef:
3931 description: |-
3932 Optional service account field containing the name of a kubernetes ServiceAccount.
3933 If the service account is specified, the service account secret token JWT will be used
3934 for authenticating with Vault. If the service account selector is not supplied,
3935 the secretRef will be used instead.
3936 properties:
3937 audiences:
3938 description: |-
3939 Audience specifies the `aud` claim for the service account token
3940 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3941 then this audiences will be appended to the list
3942 items:
3943 type: string
3944 type: array
3945 name:
3946 description: The name of the ServiceAccount resource
3947 being referred to.
3948 type: string
3949 namespace:
3950 description: |-
3951 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3952 to the namespace of the referent.
3953 type: string
3954 required:
3955 - name
3956 type: object
3957 required:
3958 - mountPath
3959 - role
3960 type: object
3961 ldap:
3962 description: |-
3963 Ldap authenticates with Vault by passing username/password pair using
3964 the LDAP authentication method
3965 properties:
3966 path:
3967 default: ldap
3968 description: |-
3969 Path where the LDAP authentication backend is mounted
3970 in Vault, e.g: "ldap"
3971 type: string
3972 secretRef:
3973 description: |-
3974 SecretRef to a key in a Secret resource containing password for the LDAP
3975 user used to authenticate with Vault using the LDAP authentication
3976 method
3977 properties:
3978 key:
3979 description: |-
3980 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3981 defaulted, in others it may be required.
3982 type: string
3983 name:
3984 description: The name of the Secret resource being
3985 referred to.
3986 type: string
3987 namespace:
3988 description: |-
3989 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3990 to the namespace of the referent.
3991 type: string
3992 type: object
3993 username:
3994 description: |-
3995 Username is a LDAP user name used to authenticate using the LDAP Vault
3996 authentication method
3997 type: string
3998 required:
3999 - path
4000 - username
4001 type: object
4002 namespace:
4003 description: |-
4004 Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
4005 Namespaces is a set of features within Vault Enterprise that allows
4006 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
4007 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
4008 This will default to Vault.Namespace field if set, or empty otherwise
4009 type: string
4010 tokenSecretRef:
4011 description: TokenSecretRef authenticates with Vault by
4012 presenting a token.
4013 properties:
4014 key:
4015 description: |-
4016 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4017 defaulted, in others it may be required.
4018 type: string
4019 name:
4020 description: The name of the Secret resource being
4021 referred to.
4022 type: string
4023 namespace:
4024 description: |-
4025 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4026 to the namespace of the referent.
4027 type: string
4028 type: object
4029 userPass:
4030 description: UserPass authenticates with Vault by passing
4031 username/password pair
4032 properties:
4033 path:
4034 default: user
4035 description: |-
4036 Path where the UserPassword authentication backend is mounted
4037 in Vault, e.g: "user"
4038 type: string
4039 secretRef:
4040 description: |-
4041 SecretRef to a key in a Secret resource containing password for the
4042 user used to authenticate with Vault using the UserPass authentication
4043 method
4044 properties:
4045 key:
4046 description: |-
4047 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4048 defaulted, in others it may be required.
4049 type: string
4050 name:
4051 description: The name of the Secret resource being
4052 referred to.
4053 type: string
4054 namespace:
4055 description: |-
4056 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4057 to the namespace of the referent.
4058 type: string
4059 type: object
4060 username:
4061 description: |-
4062 Username is a user name used to authenticate using the UserPass Vault
4063 authentication method
4064 type: string
4065 required:
4066 - path
4067 - username
4068 type: object
4069 type: object
4070 caBundle:
4071 description: |-
4072 PEM encoded CA bundle used to validate Vault server certificate. Only used
4073 if the Server URL is using HTTPS protocol. This parameter is ignored for
4074 plain HTTP protocol connection. If not set the system root certificates
4075 are used to validate the TLS connection.
4076 format: byte
4077 type: string
4078 caProvider:
4079 description: The provider for the CA bundle to use to validate
4080 Vault server certificate.
4081 properties:
4082 key:
4083 description: The key where the CA certificate can be found
4084 in the Secret or ConfigMap.
4085 type: string
4086 name:
4087 description: The name of the object located at the provider
4088 type.
4089 type: string
4090 namespace:
4091 description: |-
4092 The namespace the Provider type is in.
4093 Can only be defined when used in a ClusterSecretStore.
4094 type: string
4095 type:
4096 description: The type of provider to use such as "Secret",
4097 or "ConfigMap".
4098 enum:
4099 - Secret
4100 - ConfigMap
4101 type: string
4102 required:
4103 - name
4104 - type
4105 type: object
4106 forwardInconsistent:
4107 description: |-
4108 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
4109 leader instead of simply retrying within a loop. This can increase performance if
4110 the option is enabled serverside.
4111 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
4112 type: boolean
4113 namespace:
4114 description: |-
4115 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
4116 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
4117 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
4118 type: string
4119 path:
4120 description: |-
4121 Path is the mount path of the Vault KV backend endpoint, e.g:
4122 "secret". The v2 KV secret engine version specific "/data" path suffix
4123 for fetching secrets from Vault is optional and will be appended
4124 if not present in specified path.
4125 type: string
4126 readYourWrites:
4127 description: |-
4128 ReadYourWrites ensures isolated read-after-write semantics by
4129 providing discovered cluster replication states in each request.
4130 More information about eventual consistency in Vault can be found here
4131 https://www.vaultproject.io/docs/enterprise/consistency
4132 type: boolean
4133 server:
4134 description: 'Server is the connection address for the Vault
4135 server, e.g: "https://vault.example.com:8200".'
4136 type: string
4137 tls:
4138 description: |-
4139 The configuration used for client side related TLS communication, when the Vault server
4140 requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
4141 This parameter is ignored for plain HTTP protocol connection.
4142 It's worth noting this configuration is different from the "TLS certificates auth method",
4143 which is available under the `auth.cert` section.
4144 properties:
4145 certSecretRef:
4146 description: |-
4147 CertSecretRef is a certificate added to the transport layer
4148 when communicating with the Vault server.
4149 If no key for the Secret is specified, external-secret will default to 'tls.crt'.
4150 properties:
4151 key:
4152 description: |-
4153 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4154 defaulted, in others it may be required.
4155 type: string
4156 name:
4157 description: The name of the Secret resource being
4158 referred to.
4159 type: string
4160 namespace:
4161 description: |-
4162 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4163 to the namespace of the referent.
4164 type: string
4165 type: object
4166 keySecretRef:
4167 description: |-
4168 KeySecretRef to a key in a Secret resource containing client private key
4169 added to the transport layer when communicating with the Vault server.
4170 If no key for the Secret is specified, external-secret will default to 'tls.key'.
4171 properties:
4172 key:
4173 description: |-
4174 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4175 defaulted, in others it may be required.
4176 type: string
4177 name:
4178 description: The name of the Secret resource being
4179 referred to.
4180 type: string
4181 namespace:
4182 description: |-
4183 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4184 to the namespace of the referent.
4185 type: string
4186 type: object
4187 type: object
4188 version:
4189 default: v2
4190 description: |-
4191 Version is the Vault KV secret engine version. This can be either "v1" or
4192 "v2". Version defaults to "v2".
4193 enum:
4194 - v1
4195 - v2
4196 type: string
4197 required:
4198 - auth
4199 - server
4200 type: object
4201 webhook:
4202 description: Webhook configures this store to sync secrets using
4203 a generic templated webhook
4204 properties:
4205 body:
4206 description: Body
4207 type: string
4208 caBundle:
4209 description: |-
4210 PEM encoded CA bundle used to validate webhook server certificate. Only used
4211 if the Server URL is using HTTPS protocol. This parameter is ignored for
4212 plain HTTP protocol connection. If not set the system root certificates
4213 are used to validate the TLS connection.
4214 format: byte
4215 type: string
4216 caProvider:
4217 description: The provider for the CA bundle to use to validate
4218 webhook server certificate.
4219 properties:
4220 key:
4221 description: The key the value inside of the provider
4222 type to use, only used with "Secret" type
4223 type: string
4224 name:
4225 description: The name of the object located at the provider
4226 type.
4227 type: string
4228 namespace:
4229 description: The namespace the Provider type is in.
4230 type: string
4231 type:
4232 description: The type of provider to use such as "Secret",
4233 or "ConfigMap".
4234 enum:
4235 - Secret
4236 - ConfigMap
4237 type: string
4238 required:
4239 - name
4240 - type
4241 type: object
4242 headers:
4243 additionalProperties:
4244 type: string
4245 description: Headers
4246 type: object
4247 method:
4248 description: Webhook Method
4249 type: string
4250 result:
4251 description: Result formatting
4252 properties:
4253 jsonPath:
4254 description: Json path of return value
4255 type: string
4256 type: object
4257 secrets:
4258 description: |-
4259 Secrets to fill in templates
4260 These secrets will be passed to the templating function as key value pairs under the given name
4261 items:
4262 properties:
4263 name:
4264 description: Name of this secret in templates
4265 type: string
4266 secretRef:
4267 description: Secret ref to fill in credentials
4268 properties:
4269 key:
4270 description: |-
4271 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4272 defaulted, in others it may be required.
4273 type: string
4274 name:
4275 description: The name of the Secret resource being
4276 referred to.
4277 type: string
4278 namespace:
4279 description: |-
4280 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4281 to the namespace of the referent.
4282 type: string
4283 type: object
4284 required:
4285 - name
4286 - secretRef
4287 type: object
4288 type: array
4289 timeout:
4290 description: Timeout
4291 type: string
4292 url:
4293 description: Webhook url to call
4294 type: string
4295 required:
4296 - result
4297 - url
4298 type: object
4299 yandexcertificatemanager:
4300 description: YandexCertificateManager configures this store to
4301 sync secrets using Yandex Certificate Manager provider
4302 properties:
4303 apiEndpoint:
4304 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
4305 type: string
4306 auth:
4307 description: Auth defines the information necessary to authenticate
4308 against Yandex Certificate Manager
4309 properties:
4310 authorizedKeySecretRef:
4311 description: The authorized key used for authentication
4312 properties:
4313 key:
4314 description: |-
4315 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4316 defaulted, in others it may be required.
4317 type: string
4318 name:
4319 description: The name of the Secret resource being
4320 referred to.
4321 type: string
4322 namespace:
4323 description: |-
4324 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4325 to the namespace of the referent.
4326 type: string
4327 type: object
4328 type: object
4329 caProvider:
4330 description: The provider for the CA bundle to use to validate
4331 Yandex.Cloud server certificate.
4332 properties:
4333 certSecretRef:
4334 description: |-
4335 A reference to a specific 'key' within a Secret resource,
4336 In some instances, `key` is a required field.
4337 properties:
4338 key:
4339 description: |-
4340 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4341 defaulted, in others it may be required.
4342 type: string
4343 name:
4344 description: The name of the Secret resource being
4345 referred to.
4346 type: string
4347 namespace:
4348 description: |-
4349 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4350 to the namespace of the referent.
4351 type: string
4352 type: object
4353 type: object
4354 required:
4355 - auth
4356 type: object
4357 yandexlockbox:
4358 description: YandexLockbox configures this store to sync secrets
4359 using Yandex Lockbox provider
4360 properties:
4361 apiEndpoint:
4362 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
4363 type: string
4364 auth:
4365 description: Auth defines the information necessary to authenticate
4366 against Yandex Lockbox
4367 properties:
4368 authorizedKeySecretRef:
4369 description: The authorized key used for authentication
4370 properties:
4371 key:
4372 description: |-
4373 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4374 defaulted, in others it may be required.
4375 type: string
4376 name:
4377 description: The name of the Secret resource being
4378 referred to.
4379 type: string
4380 namespace:
4381 description: |-
4382 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4383 to the namespace of the referent.
4384 type: string
4385 type: object
4386 type: object
4387 caProvider:
4388 description: The provider for the CA bundle to use to validate
4389 Yandex.Cloud server certificate.
4390 properties:
4391 certSecretRef:
4392 description: |-
4393 A reference to a specific 'key' within a Secret resource,
4394 In some instances, `key` is a required field.
4395 properties:
4396 key:
4397 description: |-
4398 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4399 defaulted, in others it may be required.
4400 type: string
4401 name:
4402 description: The name of the Secret resource being
4403 referred to.
4404 type: string
4405 namespace:
4406 description: |-
4407 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4408 to the namespace of the referent.
4409 type: string
4410 type: object
4411 type: object
4412 required:
4413 - auth
4414 type: object
4415 type: object
4416 refreshInterval:
4417 description: Used to configure store refresh interval in seconds.
4418 Empty or 0 will default to the controller config.
4419 type: integer
4420 retrySettings:
4421 description: Used to configure http retries if failed
4422 properties:
4423 maxRetries:
4424 format: int32
4425 type: integer
4426 retryInterval:
4427 type: string
4428 type: object
4429 required:
4430 - provider
4431 type: object
4432 status:
4433 description: SecretStoreStatus defines the observed state of the SecretStore.
4434 properties:
4435 capabilities:
4436 description: SecretStoreCapabilities defines the possible operations
4437 a SecretStore can do.
4438 type: string
4439 conditions:
4440 items:
4441 properties:
4442 lastTransitionTime:
4443 format: date-time
4444 type: string
4445 message:
4446 type: string
4447 reason:
4448 type: string
4449 status:
4450 type: string
4451 type:
4452 type: string
4453 required:
4454 - status
4455 - type
4456 type: object
4457 type: array
4458 type: object
4459 type: object
4460 served: true
4461 storage: true
4462 subresources:
4463 status: {}
View as plain text