1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: vaultdynamicsecrets.generators.external-secrets.io
8spec:
9 group: generators.external-secrets.io
10 names:
11 categories:
12 - vaultdynamicsecret
13 kind: VaultDynamicSecret
14 listKind: VaultDynamicSecretList
15 plural: vaultdynamicsecrets
16 shortNames:
17 - vaultdynamicsecret
18 singular: vaultdynamicsecret
19 scope: Namespaced
20 versions:
21 - name: v1alpha1
22 schema:
23 openAPIV3Schema:
24 properties:
25 apiVersion:
26 description: |-
27 APIVersion defines the versioned schema of this representation of an object.
28 Servers should convert recognized schemas to the latest internal value, and
29 may reject unrecognized values.
30 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
31 type: string
32 kind:
33 description: |-
34 Kind is a string value representing the REST resource this object represents.
35 Servers may infer this from the endpoint the client submits requests to.
36 Cannot be updated.
37 In CamelCase.
38 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
39 type: string
40 metadata:
41 type: object
42 spec:
43 properties:
44 controller:
45 description: |-
46 Used to select the correct ESO controller (think: ingress.ingressClassName)
47 The ESO controller is instantiated with a specific controller name and filters VDS based on this property
48 type: string
49 method:
50 description: Vault API method to use (GET/POST/other)
51 type: string
52 parameters:
53 description: Parameters to pass to Vault write (for non-GET methods)
54 x-kubernetes-preserve-unknown-fields: true
55 path:
56 description: Vault path to obtain the dynamic secret from
57 type: string
58 provider:
59 description: Vault provider common spec
60 properties:
61 auth:
62 description: Auth configures how secret-manager authenticates
63 with the Vault server.
64 properties:
65 appRole:
66 description: |-
67 AppRole authenticates with Vault using the App Role auth mechanism,
68 with the role and secret stored in a Kubernetes Secret resource.
69 properties:
70 path:
71 default: approle
72 description: |-
73 Path where the App Role authentication backend is mounted
74 in Vault, e.g: "approle"
75 type: string
76 roleId:
77 description: |-
78 RoleID configured in the App Role authentication backend when setting
79 up the authentication backend in Vault.
80 type: string
81 roleRef:
82 description: |-
83 Reference to a key in a Secret that contains the App Role ID used
84 to authenticate with Vault.
85 The `key` field must be specified and denotes which entry within the Secret
86 resource is used as the app role id.
87 properties:
88 key:
89 description: |-
90 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
91 defaulted, in others it may be required.
92 type: string
93 name:
94 description: The name of the Secret resource being
95 referred to.
96 type: string
97 namespace:
98 description: |-
99 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
100 to the namespace of the referent.
101 type: string
102 type: object
103 secretRef:
104 description: |-
105 Reference to a key in a Secret that contains the App Role secret used
106 to authenticate with Vault.
107 The `key` field must be specified and denotes which entry within the Secret
108 resource is used as the app role secret.
109 properties:
110 key:
111 description: |-
112 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
113 defaulted, in others it may be required.
114 type: string
115 name:
116 description: The name of the Secret resource being
117 referred to.
118 type: string
119 namespace:
120 description: |-
121 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
122 to the namespace of the referent.
123 type: string
124 type: object
125 required:
126 - path
127 - secretRef
128 type: object
129 cert:
130 description: |-
131 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
132 Cert authentication method
133 properties:
134 clientCert:
135 description: |-
136 ClientCert is a certificate to authenticate using the Cert Vault
137 authentication method
138 properties:
139 key:
140 description: |-
141 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
142 defaulted, in others it may be required.
143 type: string
144 name:
145 description: The name of the Secret resource being
146 referred to.
147 type: string
148 namespace:
149 description: |-
150 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
151 to the namespace of the referent.
152 type: string
153 type: object
154 secretRef:
155 description: |-
156 SecretRef to a key in a Secret resource containing client private key to
157 authenticate with Vault using the Cert authentication method
158 properties:
159 key:
160 description: |-
161 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
162 defaulted, in others it may be required.
163 type: string
164 name:
165 description: The name of the Secret resource being
166 referred to.
167 type: string
168 namespace:
169 description: |-
170 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
171 to the namespace of the referent.
172 type: string
173 type: object
174 type: object
175 iam:
176 description: |-
177 Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
178 AWS IAM authentication method
179 properties:
180 externalID:
181 description: AWS External ID set on assumed IAM roles
182 type: string
183 jwt:
184 description: Specify a service account with IRSA enabled
185 properties:
186 serviceAccountRef:
187 description: A reference to a ServiceAccount resource.
188 properties:
189 audiences:
190 description: |-
191 Audience specifies the `aud` claim for the service account token
192 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
193 then this audiences will be appended to the list
194 items:
195 type: string
196 type: array
197 name:
198 description: The name of the ServiceAccount resource
199 being referred to.
200 type: string
201 namespace:
202 description: |-
203 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
204 to the namespace of the referent.
205 type: string
206 required:
207 - name
208 type: object
209 type: object
210 path:
211 description: 'Path where the AWS auth method is enabled
212 in Vault, e.g: "aws"'
213 type: string
214 region:
215 description: AWS region
216 type: string
217 role:
218 description: This is the AWS role to be assumed before
219 talking to vault
220 type: string
221 secretRef:
222 description: Specify credentials in a Secret object
223 properties:
224 accessKeyIDSecretRef:
225 description: The AccessKeyID is used for authentication
226 properties:
227 key:
228 description: |-
229 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
230 defaulted, in others it may be required.
231 type: string
232 name:
233 description: The name of the Secret resource being
234 referred to.
235 type: string
236 namespace:
237 description: |-
238 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
239 to the namespace of the referent.
240 type: string
241 type: object
242 secretAccessKeySecretRef:
243 description: The SecretAccessKey is used for authentication
244 properties:
245 key:
246 description: |-
247 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
248 defaulted, in others it may be required.
249 type: string
250 name:
251 description: The name of the Secret resource being
252 referred to.
253 type: string
254 namespace:
255 description: |-
256 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
257 to the namespace of the referent.
258 type: string
259 type: object
260 sessionTokenSecretRef:
261 description: |-
262 The SessionToken used for authentication
263 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
264 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
265 properties:
266 key:
267 description: |-
268 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
269 defaulted, in others it may be required.
270 type: string
271 name:
272 description: The name of the Secret resource being
273 referred to.
274 type: string
275 namespace:
276 description: |-
277 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
278 to the namespace of the referent.
279 type: string
280 type: object
281 type: object
282 vaultAwsIamServerID:
283 description: 'X-Vault-AWS-IAM-Server-ID is an additional
284 header used by Vault IAM auth method to mitigate against
285 different types of replay attacks. More details here:
286 https://developer.hashicorp.com/vault/docs/auth/aws'
287 type: string
288 vaultRole:
289 description: Vault Role. In vault, a role describes an
290 identity with a set of permissions, groups, or policies
291 you want to attach a user of the secrets engine
292 type: string
293 required:
294 - vaultRole
295 type: object
296 jwt:
297 description: |-
298 Jwt authenticates with Vault by passing role and JWT token using the
299 JWT/OIDC authentication method
300 properties:
301 kubernetesServiceAccountToken:
302 description: |-
303 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
304 a token for with the `TokenRequest` API.
305 properties:
306 audiences:
307 description: |-
308 Optional audiences field that will be used to request a temporary Kubernetes service
309 account token for the service account referenced by `serviceAccountRef`.
310 Defaults to a single audience `vault` it not specified.
311 Deprecated: use serviceAccountRef.Audiences instead
312 items:
313 type: string
314 type: array
315 expirationSeconds:
316 description: |-
317 Optional expiration time in seconds that will be used to request a temporary
318 Kubernetes service account token for the service account referenced by
319 `serviceAccountRef`.
320 Deprecated: this will be removed in the future.
321 Defaults to 10 minutes.
322 format: int64
323 type: integer
324 serviceAccountRef:
325 description: Service account field containing the
326 name of a kubernetes ServiceAccount.
327 properties:
328 audiences:
329 description: |-
330 Audience specifies the `aud` claim for the service account token
331 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
332 then this audiences will be appended to the list
333 items:
334 type: string
335 type: array
336 name:
337 description: The name of the ServiceAccount resource
338 being referred to.
339 type: string
340 namespace:
341 description: |-
342 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
343 to the namespace of the referent.
344 type: string
345 required:
346 - name
347 type: object
348 required:
349 - serviceAccountRef
350 type: object
351 path:
352 default: jwt
353 description: |-
354 Path where the JWT authentication backend is mounted
355 in Vault, e.g: "jwt"
356 type: string
357 role:
358 description: |-
359 Role is a JWT role to authenticate using the JWT/OIDC Vault
360 authentication method
361 type: string
362 secretRef:
363 description: |-
364 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
365 authenticate with Vault using the JWT/OIDC authentication method.
366 properties:
367 key:
368 description: |-
369 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
370 defaulted, in others it may be required.
371 type: string
372 name:
373 description: The name of the Secret resource being
374 referred to.
375 type: string
376 namespace:
377 description: |-
378 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
379 to the namespace of the referent.
380 type: string
381 type: object
382 required:
383 - path
384 type: object
385 kubernetes:
386 description: |-
387 Kubernetes authenticates with Vault by passing the ServiceAccount
388 token stored in the named Secret resource to the Vault server.
389 properties:
390 mountPath:
391 default: kubernetes
392 description: |-
393 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
394 "kubernetes"
395 type: string
396 role:
397 description: |-
398 A required field containing the Vault Role to assume. A Role binds a
399 Kubernetes ServiceAccount with a set of Vault policies.
400 type: string
401 secretRef:
402 description: |-
403 Optional secret field containing a Kubernetes ServiceAccount JWT used
404 for authenticating with Vault. If a name is specified without a key,
405 `token` is the default. If one is not specified, the one bound to
406 the controller will be used.
407 properties:
408 key:
409 description: |-
410 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
411 defaulted, in others it may be required.
412 type: string
413 name:
414 description: The name of the Secret resource being
415 referred to.
416 type: string
417 namespace:
418 description: |-
419 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
420 to the namespace of the referent.
421 type: string
422 type: object
423 serviceAccountRef:
424 description: |-
425 Optional service account field containing the name of a kubernetes ServiceAccount.
426 If the service account is specified, the service account secret token JWT will be used
427 for authenticating with Vault. If the service account selector is not supplied,
428 the secretRef will be used instead.
429 properties:
430 audiences:
431 description: |-
432 Audience specifies the `aud` claim for the service account token
433 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
434 then this audiences will be appended to the list
435 items:
436 type: string
437 type: array
438 name:
439 description: The name of the ServiceAccount resource
440 being referred to.
441 type: string
442 namespace:
443 description: |-
444 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
445 to the namespace of the referent.
446 type: string
447 required:
448 - name
449 type: object
450 required:
451 - mountPath
452 - role
453 type: object
454 ldap:
455 description: |-
456 Ldap authenticates with Vault by passing username/password pair using
457 the LDAP authentication method
458 properties:
459 path:
460 default: ldap
461 description: |-
462 Path where the LDAP authentication backend is mounted
463 in Vault, e.g: "ldap"
464 type: string
465 secretRef:
466 description: |-
467 SecretRef to a key in a Secret resource containing password for the LDAP
468 user used to authenticate with Vault using the LDAP authentication
469 method
470 properties:
471 key:
472 description: |-
473 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
474 defaulted, in others it may be required.
475 type: string
476 name:
477 description: The name of the Secret resource being
478 referred to.
479 type: string
480 namespace:
481 description: |-
482 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
483 to the namespace of the referent.
484 type: string
485 type: object
486 username:
487 description: |-
488 Username is a LDAP user name used to authenticate using the LDAP Vault
489 authentication method
490 type: string
491 required:
492 - path
493 - username
494 type: object
495 namespace:
496 description: |-
497 Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
498 Namespaces is a set of features within Vault Enterprise that allows
499 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
500 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
501 This will default to Vault.Namespace field if set, or empty otherwise
502 type: string
503 tokenSecretRef:
504 description: TokenSecretRef authenticates with Vault by presenting
505 a token.
506 properties:
507 key:
508 description: |-
509 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
510 defaulted, in others it may be required.
511 type: string
512 name:
513 description: The name of the Secret resource being referred
514 to.
515 type: string
516 namespace:
517 description: |-
518 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
519 to the namespace of the referent.
520 type: string
521 type: object
522 userPass:
523 description: UserPass authenticates with Vault by passing
524 username/password pair
525 properties:
526 path:
527 default: user
528 description: |-
529 Path where the UserPassword authentication backend is mounted
530 in Vault, e.g: "user"
531 type: string
532 secretRef:
533 description: |-
534 SecretRef to a key in a Secret resource containing password for the
535 user used to authenticate with Vault using the UserPass authentication
536 method
537 properties:
538 key:
539 description: |-
540 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
541 defaulted, in others it may be required.
542 type: string
543 name:
544 description: The name of the Secret resource being
545 referred to.
546 type: string
547 namespace:
548 description: |-
549 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
550 to the namespace of the referent.
551 type: string
552 type: object
553 username:
554 description: |-
555 Username is a user name used to authenticate using the UserPass Vault
556 authentication method
557 type: string
558 required:
559 - path
560 - username
561 type: object
562 type: object
563 caBundle:
564 description: |-
565 PEM encoded CA bundle used to validate Vault server certificate. Only used
566 if the Server URL is using HTTPS protocol. This parameter is ignored for
567 plain HTTP protocol connection. If not set the system root certificates
568 are used to validate the TLS connection.
569 format: byte
570 type: string
571 caProvider:
572 description: The provider for the CA bundle to use to validate
573 Vault server certificate.
574 properties:
575 key:
576 description: The key where the CA certificate can be found
577 in the Secret or ConfigMap.
578 type: string
579 name:
580 description: The name of the object located at the provider
581 type.
582 type: string
583 namespace:
584 description: |-
585 The namespace the Provider type is in.
586 Can only be defined when used in a ClusterSecretStore.
587 type: string
588 type:
589 description: The type of provider to use such as "Secret",
590 or "ConfigMap".
591 enum:
592 - Secret
593 - ConfigMap
594 type: string
595 required:
596 - name
597 - type
598 type: object
599 forwardInconsistent:
600 description: |-
601 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
602 leader instead of simply retrying within a loop. This can increase performance if
603 the option is enabled serverside.
604 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
605 type: boolean
606 namespace:
607 description: |-
608 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
609 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
610 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
611 type: string
612 path:
613 description: |-
614 Path is the mount path of the Vault KV backend endpoint, e.g:
615 "secret". The v2 KV secret engine version specific "/data" path suffix
616 for fetching secrets from Vault is optional and will be appended
617 if not present in specified path.
618 type: string
619 readYourWrites:
620 description: |-
621 ReadYourWrites ensures isolated read-after-write semantics by
622 providing discovered cluster replication states in each request.
623 More information about eventual consistency in Vault can be found here
624 https://www.vaultproject.io/docs/enterprise/consistency
625 type: boolean
626 server:
627 description: 'Server is the connection address for the Vault server,
628 e.g: "https://vault.example.com:8200".'
629 type: string
630 tls:
631 description: |-
632 The configuration used for client side related TLS communication, when the Vault server
633 requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
634 This parameter is ignored for plain HTTP protocol connection.
635 It's worth noting this configuration is different from the "TLS certificates auth method",
636 which is available under the `auth.cert` section.
637 properties:
638 certSecretRef:
639 description: |-
640 CertSecretRef is a certificate added to the transport layer
641 when communicating with the Vault server.
642 If no key for the Secret is specified, external-secret will default to 'tls.crt'.
643 properties:
644 key:
645 description: |-
646 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
647 defaulted, in others it may be required.
648 type: string
649 name:
650 description: The name of the Secret resource being referred
651 to.
652 type: string
653 namespace:
654 description: |-
655 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
656 to the namespace of the referent.
657 type: string
658 type: object
659 keySecretRef:
660 description: |-
661 KeySecretRef to a key in a Secret resource containing client private key
662 added to the transport layer when communicating with the Vault server.
663 If no key for the Secret is specified, external-secret will default to 'tls.key'.
664 properties:
665 key:
666 description: |-
667 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
668 defaulted, in others it may be required.
669 type: string
670 name:
671 description: The name of the Secret resource being referred
672 to.
673 type: string
674 namespace:
675 description: |-
676 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
677 to the namespace of the referent.
678 type: string
679 type: object
680 type: object
681 version:
682 default: v2
683 description: |-
684 Version is the Vault KV secret engine version. This can be either "v1" or
685 "v2". Version defaults to "v2".
686 enum:
687 - v1
688 - v2
689 type: string
690 required:
691 - auth
692 - server
693 type: object
694 resultType:
695 default: Data
696 description: |-
697 Result type defines which data is returned from the generator.
698 By default it is the "data" section of the Vault API response.
699 When using e.g. /auth/token/create the "data" section is empty but
700 the "auth" section contains the generated token.
701 Please refer to the vault docs regarding the result data structure.
702 enum:
703 - Data
704 - Auth
705 type: string
706 required:
707 - path
708 - provider
709 type: object
710 type: object
711 served: true
712 storage: true
713 subresources:
714 status: {}
View as plain text