1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: externalsecrets.external-secrets.io
8spec:
9 group: external-secrets.io
10 names:
11 categories:
12 - externalsecrets
13 kind: ExternalSecret
14 listKind: ExternalSecretList
15 plural: externalsecrets
16 shortNames:
17 - es
18 singular: externalsecret
19 scope: Namespaced
20 versions:
21 - additionalPrinterColumns:
22 - jsonPath: .spec.secretStoreRef.name
23 name: Store
24 type: string
25 - jsonPath: .spec.refreshInterval
26 name: Refresh Interval
27 type: string
28 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
29 name: Status
30 type: string
31 deprecated: true
32 name: v1alpha1
33 schema:
34 openAPIV3Schema:
35 description: ExternalSecret is the Schema for the external-secrets API.
36 properties:
37 apiVersion:
38 description: |-
39 APIVersion defines the versioned schema of this representation of an object.
40 Servers should convert recognized schemas to the latest internal value, and
41 may reject unrecognized values.
42 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
43 type: string
44 kind:
45 description: |-
46 Kind is a string value representing the REST resource this object represents.
47 Servers may infer this from the endpoint the client submits requests to.
48 Cannot be updated.
49 In CamelCase.
50 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
51 type: string
52 metadata:
53 type: object
54 spec:
55 description: ExternalSecretSpec defines the desired state of ExternalSecret.
56 properties:
57 data:
58 description: Data defines the connection between the Kubernetes Secret
59 keys and the Provider data
60 items:
61 description: ExternalSecretData defines the connection between the
62 Kubernetes Secret key (spec.data.<key>) and the Provider data.
63 properties:
64 remoteRef:
65 description: ExternalSecretDataRemoteRef defines Provider data
66 location.
67 properties:
68 conversionStrategy:
69 default: Default
70 description: Used to define a conversion Strategy
71 enum:
72 - Default
73 - Unicode
74 type: string
75 key:
76 description: Key is the key used in the Provider, mandatory
77 type: string
78 property:
79 description: Used to select a specific property of the Provider
80 value (if a map), if supported
81 type: string
82 version:
83 description: Used to select a specific version of the Provider
84 value, if supported
85 type: string
86 required:
87 - key
88 type: object
89 secretKey:
90 type: string
91 required:
92 - remoteRef
93 - secretKey
94 type: object
95 type: array
96 dataFrom:
97 description: |-
98 DataFrom is used to fetch all properties from a specific Provider data
99 If multiple entries are specified, the Secret keys are merged in the specified order
100 items:
101 description: ExternalSecretDataRemoteRef defines Provider data location.
102 properties:
103 conversionStrategy:
104 default: Default
105 description: Used to define a conversion Strategy
106 enum:
107 - Default
108 - Unicode
109 type: string
110 key:
111 description: Key is the key used in the Provider, mandatory
112 type: string
113 property:
114 description: Used to select a specific property of the Provider
115 value (if a map), if supported
116 type: string
117 version:
118 description: Used to select a specific version of the Provider
119 value, if supported
120 type: string
121 required:
122 - key
123 type: object
124 type: array
125 refreshInterval:
126 default: 1h
127 description: |-
128 RefreshInterval is the amount of time before the values are read again from the SecretStore provider
129 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
130 May be set to zero to fetch and create it once. Defaults to 1h.
131 type: string
132 secretStoreRef:
133 description: SecretStoreRef defines which SecretStore to fetch the
134 ExternalSecret data.
135 properties:
136 kind:
137 description: |-
138 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
139 Defaults to `SecretStore`
140 type: string
141 name:
142 description: Name of the SecretStore resource
143 type: string
144 required:
145 - name
146 type: object
147 target:
148 description: |-
149 ExternalSecretTarget defines the Kubernetes Secret to be created
150 There can be only one target per ExternalSecret.
151 properties:
152 creationPolicy:
153 default: Owner
154 description: |-
155 CreationPolicy defines rules on how to create the resulting Secret
156 Defaults to 'Owner'
157 enum:
158 - Owner
159 - Merge
160 - None
161 type: string
162 immutable:
163 description: Immutable defines if the final secret will be immutable
164 type: boolean
165 name:
166 description: |-
167 Name defines the name of the Secret resource to be managed
168 This field is immutable
169 Defaults to the .metadata.name of the ExternalSecret resource
170 type: string
171 template:
172 description: Template defines a blueprint for the created Secret
173 resource.
174 properties:
175 data:
176 additionalProperties:
177 type: string
178 type: object
179 engineVersion:
180 default: v1
181 description: |-
182 EngineVersion specifies the template engine version
183 that should be used to compile/execute the
184 template specified in .data and .templateFrom[].
185 enum:
186 - v1
187 - v2
188 type: string
189 metadata:
190 description: ExternalSecretTemplateMetadata defines metadata
191 fields for the Secret blueprint.
192 properties:
193 annotations:
194 additionalProperties:
195 type: string
196 type: object
197 labels:
198 additionalProperties:
199 type: string
200 type: object
201 type: object
202 templateFrom:
203 items:
204 maxProperties: 1
205 minProperties: 1
206 properties:
207 configMap:
208 properties:
209 items:
210 items:
211 properties:
212 key:
213 type: string
214 required:
215 - key
216 type: object
217 type: array
218 name:
219 type: string
220 required:
221 - items
222 - name
223 type: object
224 secret:
225 properties:
226 items:
227 items:
228 properties:
229 key:
230 type: string
231 required:
232 - key
233 type: object
234 type: array
235 name:
236 type: string
237 required:
238 - items
239 - name
240 type: object
241 type: object
242 type: array
243 type:
244 type: string
245 type: object
246 type: object
247 required:
248 - secretStoreRef
249 - target
250 type: object
251 status:
252 properties:
253 binding:
254 description: Binding represents a servicebinding.io Provisioned Service
255 reference to the secret
256 properties:
257 name:
258 default: ""
259 description: |-
260 Name of the referent.
261 This field is effectively required, but due to backwards compatibility is
262 allowed to be empty. Instances of this type with an empty value here are
263 almost certainly wrong.
264 TODO: Add other useful fields. apiVersion, kind, uid?
265 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
266 TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
267 type: string
268 type: object
269 x-kubernetes-map-type: atomic
270 conditions:
271 items:
272 properties:
273 lastTransitionTime:
274 format: date-time
275 type: string
276 message:
277 type: string
278 reason:
279 type: string
280 status:
281 type: string
282 type:
283 type: string
284 required:
285 - status
286 - type
287 type: object
288 type: array
289 refreshTime:
290 description: |-
291 refreshTime is the time and date the external secret was fetched and
292 the target secret updated
293 format: date-time
294 nullable: true
295 type: string
296 syncedResourceVersion:
297 description: SyncedResourceVersion keeps track of the last synced
298 version
299 type: string
300 type: object
301 type: object
302 served: true
303 storage: false
304 subresources:
305 status: {}
306 - additionalPrinterColumns:
307 - jsonPath: .spec.secretStoreRef.name
308 name: Store
309 type: string
310 - jsonPath: .spec.refreshInterval
311 name: Refresh Interval
312 type: string
313 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
314 name: Status
315 type: string
316 - jsonPath: .status.conditions[?(@.type=="Ready")].status
317 name: Ready
318 type: string
319 name: v1beta1
320 schema:
321 openAPIV3Schema:
322 description: ExternalSecret is the Schema for the external-secrets API.
323 properties:
324 apiVersion:
325 description: |-
326 APIVersion defines the versioned schema of this representation of an object.
327 Servers should convert recognized schemas to the latest internal value, and
328 may reject unrecognized values.
329 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
330 type: string
331 kind:
332 description: |-
333 Kind is a string value representing the REST resource this object represents.
334 Servers may infer this from the endpoint the client submits requests to.
335 Cannot be updated.
336 In CamelCase.
337 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
338 type: string
339 metadata:
340 type: object
341 spec:
342 description: ExternalSecretSpec defines the desired state of ExternalSecret.
343 properties:
344 data:
345 description: Data defines the connection between the Kubernetes Secret
346 keys and the Provider data
347 items:
348 description: ExternalSecretData defines the connection between the
349 Kubernetes Secret key (spec.data.<key>) and the Provider data.
350 properties:
351 remoteRef:
352 description: |-
353 RemoteRef points to the remote secret and defines
354 which secret (version/property/..) to fetch.
355 properties:
356 conversionStrategy:
357 default: Default
358 description: Used to define a conversion Strategy
359 enum:
360 - Default
361 - Unicode
362 type: string
363 decodingStrategy:
364 default: None
365 description: Used to define a decoding Strategy
366 enum:
367 - Auto
368 - Base64
369 - Base64URL
370 - None
371 type: string
372 key:
373 description: Key is the key used in the Provider, mandatory
374 type: string
375 metadataPolicy:
376 default: None
377 description: Policy for fetching tags/labels from provider
378 secrets, possible options are Fetch, None. Defaults to
379 None
380 enum:
381 - None
382 - Fetch
383 type: string
384 property:
385 description: Used to select a specific property of the Provider
386 value (if a map), if supported
387 type: string
388 version:
389 description: Used to select a specific version of the Provider
390 value, if supported
391 type: string
392 required:
393 - key
394 type: object
395 secretKey:
396 description: |-
397 SecretKey defines the key in which the controller stores
398 the value. This is the key in the Kind=Secret
399 type: string
400 sourceRef:
401 description: |-
402 SourceRef allows you to override the source
403 from which the value will pulled from.
404 maxProperties: 1
405 properties:
406 generatorRef:
407 description: |-
408 GeneratorRef points to a generator custom resource.
409
410
411 Deprecated: The generatorRef is not implemented in .data[].
412 this will be removed with v1.
413 properties:
414 apiVersion:
415 default: generators.external-secrets.io/v1alpha1
416 description: Specify the apiVersion of the generator
417 resource
418 type: string
419 kind:
420 description: Specify the Kind of the resource, e.g.
421 Password, ACRAccessToken etc.
422 type: string
423 name:
424 description: Specify the name of the generator resource
425 type: string
426 required:
427 - kind
428 - name
429 type: object
430 storeRef:
431 description: SecretStoreRef defines which SecretStore to
432 fetch the ExternalSecret data.
433 properties:
434 kind:
435 description: |-
436 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
437 Defaults to `SecretStore`
438 type: string
439 name:
440 description: Name of the SecretStore resource
441 type: string
442 required:
443 - name
444 type: object
445 type: object
446 required:
447 - remoteRef
448 - secretKey
449 type: object
450 type: array
451 dataFrom:
452 description: |-
453 DataFrom is used to fetch all properties from a specific Provider data
454 If multiple entries are specified, the Secret keys are merged in the specified order
455 items:
456 properties:
457 extract:
458 description: |-
459 Used to extract multiple key/value pairs from one secret
460 Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
461 properties:
462 conversionStrategy:
463 default: Default
464 description: Used to define a conversion Strategy
465 enum:
466 - Default
467 - Unicode
468 type: string
469 decodingStrategy:
470 default: None
471 description: Used to define a decoding Strategy
472 enum:
473 - Auto
474 - Base64
475 - Base64URL
476 - None
477 type: string
478 key:
479 description: Key is the key used in the Provider, mandatory
480 type: string
481 metadataPolicy:
482 default: None
483 description: Policy for fetching tags/labels from provider
484 secrets, possible options are Fetch, None. Defaults to
485 None
486 enum:
487 - None
488 - Fetch
489 type: string
490 property:
491 description: Used to select a specific property of the Provider
492 value (if a map), if supported
493 type: string
494 version:
495 description: Used to select a specific version of the Provider
496 value, if supported
497 type: string
498 required:
499 - key
500 type: object
501 find:
502 description: |-
503 Used to find secrets based on tags or regular expressions
504 Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
505 properties:
506 conversionStrategy:
507 default: Default
508 description: Used to define a conversion Strategy
509 enum:
510 - Default
511 - Unicode
512 type: string
513 decodingStrategy:
514 default: None
515 description: Used to define a decoding Strategy
516 enum:
517 - Auto
518 - Base64
519 - Base64URL
520 - None
521 type: string
522 name:
523 description: Finds secrets based on the name.
524 properties:
525 regexp:
526 description: Finds secrets base
527 type: string
528 type: object
529 path:
530 description: A root path to start the find operations.
531 type: string
532 tags:
533 additionalProperties:
534 type: string
535 description: Find secrets based on tags.
536 type: object
537 type: object
538 rewrite:
539 description: |-
540 Used to rewrite secret Keys after getting them from the secret Provider
541 Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
542 items:
543 properties:
544 regexp:
545 description: |-
546 Used to rewrite with regular expressions.
547 The resulting key will be the output of a regexp.ReplaceAll operation.
548 properties:
549 source:
550 description: Used to define the regular expression
551 of a re.Compiler.
552 type: string
553 target:
554 description: Used to define the target pattern of
555 a ReplaceAll operation.
556 type: string
557 required:
558 - source
559 - target
560 type: object
561 transform:
562 description: |-
563 Used to apply string transformation on the secrets.
564 The resulting key will be the output of the template applied by the operation.
565 properties:
566 template:
567 description: |-
568 Used to define the template to apply on the secret name.
569 `.value ` will specify the secret name in the template.
570 type: string
571 required:
572 - template
573 type: object
574 type: object
575 type: array
576 sourceRef:
577 description: |-
578 SourceRef points to a store or generator
579 which contains secret values ready to use.
580 Use this in combination with Extract or Find pull values out of
581 a specific SecretStore.
582 When sourceRef points to a generator Extract or Find is not supported.
583 The generator returns a static map of values
584 maxProperties: 1
585 properties:
586 generatorRef:
587 description: GeneratorRef points to a generator custom resource.
588 properties:
589 apiVersion:
590 default: generators.external-secrets.io/v1alpha1
591 description: Specify the apiVersion of the generator
592 resource
593 type: string
594 kind:
595 description: Specify the Kind of the resource, e.g.
596 Password, ACRAccessToken etc.
597 type: string
598 name:
599 description: Specify the name of the generator resource
600 type: string
601 required:
602 - kind
603 - name
604 type: object
605 storeRef:
606 description: SecretStoreRef defines which SecretStore to
607 fetch the ExternalSecret data.
608 properties:
609 kind:
610 description: |-
611 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
612 Defaults to `SecretStore`
613 type: string
614 name:
615 description: Name of the SecretStore resource
616 type: string
617 required:
618 - name
619 type: object
620 type: object
621 type: object
622 type: array
623 refreshInterval:
624 default: 1h
625 description: |-
626 RefreshInterval is the amount of time before the values are read again from the SecretStore provider
627 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
628 May be set to zero to fetch and create it once. Defaults to 1h.
629 type: string
630 secretStoreRef:
631 description: SecretStoreRef defines which SecretStore to fetch the
632 ExternalSecret data.
633 properties:
634 kind:
635 description: |-
636 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
637 Defaults to `SecretStore`
638 type: string
639 name:
640 description: Name of the SecretStore resource
641 type: string
642 required:
643 - name
644 type: object
645 target:
646 default:
647 creationPolicy: Owner
648 deletionPolicy: Retain
649 description: |-
650 ExternalSecretTarget defines the Kubernetes Secret to be created
651 There can be only one target per ExternalSecret.
652 properties:
653 creationPolicy:
654 default: Owner
655 description: |-
656 CreationPolicy defines rules on how to create the resulting Secret
657 Defaults to 'Owner'
658 enum:
659 - Owner
660 - Orphan
661 - Merge
662 - None
663 type: string
664 deletionPolicy:
665 default: Retain
666 description: |-
667 DeletionPolicy defines rules on how to delete the resulting Secret
668 Defaults to 'Retain'
669 enum:
670 - Delete
671 - Merge
672 - Retain
673 type: string
674 immutable:
675 description: Immutable defines if the final secret will be immutable
676 type: boolean
677 name:
678 description: |-
679 Name defines the name of the Secret resource to be managed
680 This field is immutable
681 Defaults to the .metadata.name of the ExternalSecret resource
682 type: string
683 template:
684 description: Template defines a blueprint for the created Secret
685 resource.
686 properties:
687 data:
688 additionalProperties:
689 type: string
690 type: object
691 engineVersion:
692 default: v2
693 description: |-
694 EngineVersion specifies the template engine version
695 that should be used to compile/execute the
696 template specified in .data and .templateFrom[].
697 enum:
698 - v1
699 - v2
700 type: string
701 mergePolicy:
702 default: Replace
703 enum:
704 - Replace
705 - Merge
706 type: string
707 metadata:
708 description: ExternalSecretTemplateMetadata defines metadata
709 fields for the Secret blueprint.
710 properties:
711 annotations:
712 additionalProperties:
713 type: string
714 type: object
715 labels:
716 additionalProperties:
717 type: string
718 type: object
719 type: object
720 templateFrom:
721 items:
722 properties:
723 configMap:
724 properties:
725 items:
726 items:
727 properties:
728 key:
729 type: string
730 templateAs:
731 default: Values
732 enum:
733 - Values
734 - KeysAndValues
735 type: string
736 required:
737 - key
738 type: object
739 type: array
740 name:
741 type: string
742 required:
743 - items
744 - name
745 type: object
746 literal:
747 type: string
748 secret:
749 properties:
750 items:
751 items:
752 properties:
753 key:
754 type: string
755 templateAs:
756 default: Values
757 enum:
758 - Values
759 - KeysAndValues
760 type: string
761 required:
762 - key
763 type: object
764 type: array
765 name:
766 type: string
767 required:
768 - items
769 - name
770 type: object
771 target:
772 default: Data
773 enum:
774 - Data
775 - Annotations
776 - Labels
777 type: string
778 type: object
779 type: array
780 type:
781 type: string
782 type: object
783 type: object
784 type: object
785 status:
786 properties:
787 binding:
788 description: Binding represents a servicebinding.io Provisioned Service
789 reference to the secret
790 properties:
791 name:
792 default: ""
793 description: |-
794 Name of the referent.
795 This field is effectively required, but due to backwards compatibility is
796 allowed to be empty. Instances of this type with an empty value here are
797 almost certainly wrong.
798 TODO: Add other useful fields. apiVersion, kind, uid?
799 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
800 TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
801 type: string
802 type: object
803 x-kubernetes-map-type: atomic
804 conditions:
805 items:
806 properties:
807 lastTransitionTime:
808 format: date-time
809 type: string
810 message:
811 type: string
812 reason:
813 type: string
814 status:
815 type: string
816 type:
817 type: string
818 required:
819 - status
820 - type
821 type: object
822 type: array
823 refreshTime:
824 description: |-
825 refreshTime is the time and date the external secret was fetched and
826 the target secret updated
827 format: date-time
828 nullable: true
829 type: string
830 syncedResourceVersion:
831 description: SyncedResourceVersion keeps track of the last synced
832 version
833 type: string
834 type: object
835 type: object
836 served: true
837 storage: true
838 subresources:
839 status: {}
View as plain text