1apiVersion: v1
2kind: Namespace
3metadata:
4 name: external-secrets
5 labels:
6 workload.edge.ncr.com: 'platform'
7 annotations:
8 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
9 pallet.edge.ncr.com/name: external-secrets-operator
10 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
11 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
12 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
13 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
14---
15# Source: external-secrets/templates/crds/clusterexternalsecret.yaml
16apiVersion: apiextensions.k8s.io/v1
17kind: CustomResourceDefinition
18metadata:
19 name: clusterexternalsecrets.external-secrets.io
20 annotations:
21 controller-gen.kubebuilder.io/version: v0.9.0
22 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
23 pallet.edge.ncr.com/name: external-secrets-operator
24 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
25 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
26 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
27 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
28 labels: {}
29spec:
30 conversion:
31 strategy: Webhook
32 webhook:
33 clientConfig:
34 service:
35 name: kexternal-secrets-webhook
36 namespace: "external-secrets"
37 path: /convert
38 conversionReviewVersions:
39 - v1
40 group: external-secrets.io
41 names:
42 kind: ClusterExternalSecret
43 categories:
44 - externalsecrets
45 listKind: ClusterExternalSecretList
46 plural: clusterexternalsecrets
47 shortNames:
48 - ces
49 singular: clusterexternalsecret
50 scope: Cluster
51 versions:
52 - name: v1beta1
53 schema:
54 openAPIV3Schema:
55 type: object
56 description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
57 properties:
58 apiVersion:
59 type: string
60 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
61 kind:
62 type: string
63 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
64 metadata:
65 type: object
66 spec:
67 type: object
68 description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
69 properties:
70 externalSecretName:
71 type: string
72 description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
73 externalSecretSpec:
74 type: object
75 description: The spec for the ExternalSecrets to be created
76 properties:
77 data:
78 type: array
79 description: Data defines the connection between the Kubernetes Secret keys and the Provider data
80 items:
81 type: object
82 description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
83 properties:
84 remoteRef:
85 type: object
86 description: ExternalSecretDataRemoteRef defines Provider data location.
87 properties:
88 conversionStrategy:
89 type: string
90 default: Default
91 description: Used to define a conversion Strategy
92 key:
93 type: string
94 description: Key is the key used in the Provider, mandatory
95 metadataPolicy:
96 type: string
97 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
98 property:
99 type: string
100 description: Used to select a specific property of the Provider value (if a map), if supported
101 version:
102 type: string
103 description: Used to select a specific version of the Provider value, if supported
104 required:
105 - key
106 secretKey:
107 type: string
108 required:
109 - remoteRef
110 - secretKey
111 dataFrom:
112 type: array
113 description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
114 items:
115 type: object
116 maxProperties: 1
117 minProperties: 1
118 properties:
119 extract:
120 type: object
121 description: Used to extract multiple key/value pairs from one secret
122 properties:
123 conversionStrategy:
124 type: string
125 default: Default
126 description: Used to define a conversion Strategy
127 key:
128 type: string
129 description: Key is the key used in the Provider, mandatory
130 metadataPolicy:
131 type: string
132 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
133 property:
134 type: string
135 description: Used to select a specific property of the Provider value (if a map), if supported
136 version:
137 type: string
138 description: Used to select a specific version of the Provider value, if supported
139 required:
140 - key
141 find:
142 type: object
143 description: Used to find secrets based on tags or regular expressions
144 properties:
145 name:
146 type: object
147 description: Finds secrets based on the name.
148 properties:
149 regexp:
150 type: string
151 description: Finds secrets base
152 conversionStrategy:
153 type: string
154 default: Default
155 description: Used to define a conversion Strategy
156 path:
157 type: string
158 description: A root path to start the find operations.
159 tags:
160 type: object
161 additionalProperties:
162 type: string
163 description: Find secrets based on tags.
164 refreshInterval:
165 type: string
166 default: 1h
167 description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
168 secretStoreRef:
169 type: object
170 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
171 properties:
172 name:
173 type: string
174 description: Name of the SecretStore resource
175 kind:
176 type: string
177 description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
178 required:
179 - name
180 target:
181 type: object
182 description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
183 properties:
184 name:
185 type: string
186 description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
187 template:
188 type: object
189 description: Template defines a blueprint for the created Secret resource.
190 properties:
191 metadata:
192 type: object
193 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
194 properties:
195 labels:
196 type: object
197 additionalProperties:
198 type: string
199 annotations:
200 type: object
201 additionalProperties:
202 type: string
203 type:
204 type: string
205 data:
206 type: object
207 additionalProperties:
208 type: string
209 engineVersion:
210 type: string
211 default: v2
212 templateFrom:
213 type: array
214 items:
215 type: object
216 maxProperties: 1
217 minProperties: 1
218 properties:
219 configMap:
220 type: object
221 properties:
222 name:
223 type: string
224 items:
225 type: array
226 items:
227 type: object
228 properties:
229 key:
230 type: string
231 required:
232 - key
233 required:
234 - items
235 - name
236 secret:
237 type: object
238 properties:
239 name:
240 type: string
241 items:
242 type: array
243 items:
244 type: object
245 properties:
246 key:
247 type: string
248 required:
249 - key
250 required:
251 - items
252 - name
253 creationPolicy:
254 type: string
255 default: Owner
256 description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
257 enum:
258 - Owner
259 - Orphan
260 - Merge
261 - None
262 deletionPolicy:
263 type: string
264 default: Retain
265 description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
266 enum:
267 - Delete
268 - Merge
269 - Retain
270 immutable:
271 type: boolean
272 description: Immutable defines if the final secret will be immutable
273 required:
274 - secretStoreRef
275 namespaceSelector:
276 type: object
277 description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
278 properties:
279 matchExpressions:
280 type: array
281 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
282 items:
283 type: object
284 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
285 properties:
286 key:
287 type: string
288 description: key is the label key that the selector applies to.
289 operator:
290 type: string
291 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
292 values:
293 type: array
294 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
295 items:
296 type: string
297 required:
298 - key
299 - operator
300 matchLabels:
301 type: object
302 additionalProperties:
303 type: string
304 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
305 refreshTime:
306 type: string
307 description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
308 required:
309 - externalSecretSpec
310 - namespaceSelector
311 status:
312 type: object
313 description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
314 properties:
315 conditions:
316 type: array
317 items:
318 type: object
319 properties:
320 type:
321 type: string
322 status:
323 type: string
324 message:
325 type: string
326 required:
327 - status
328 - type
329 failedNamespaces:
330 type: array
331 description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
332 items:
333 type: object
334 description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
335 properties:
336 namespace:
337 type: string
338 description: Namespace is the namespace that failed when trying to apply an ExternalSecret
339 reason:
340 type: string
341 description: Reason is why the ExternalSecret failed to apply to the namespace
342 required:
343 - namespace
344 provisionedNamespaces:
345 type: array
346 description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
347 items:
348 type: string
349 served: true
350 storage: true
351 subresources:
352 status: {}
353---
354# Source: external-secrets/templates/crds/clustersecretstore.yaml
355apiVersion: apiextensions.k8s.io/v1
356kind: CustomResourceDefinition
357metadata:
358 name: clustersecretstores.external-secrets.io
359 annotations:
360 controller-gen.kubebuilder.io/version: v0.9.0
361 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
362 pallet.edge.ncr.com/name: external-secrets-operator
363 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
364 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
365 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
366 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
367 labels: {}
368spec:
369 conversion:
370 strategy: Webhook
371 webhook:
372 clientConfig:
373 service:
374 name: kexternal-secrets-webhook
375 namespace: "external-secrets"
376 path: /convert
377 conversionReviewVersions:
378 - v1
379 group: external-secrets.io
380 names:
381 kind: ClusterSecretStore
382 categories:
383 - externalsecrets
384 listKind: ClusterSecretStoreList
385 plural: clustersecretstores
386 shortNames:
387 - css
388 singular: clustersecretstore
389 scope: Cluster
390 versions:
391 - name: v1alpha1
392 additionalPrinterColumns:
393 - name: AGE
394 type: date
395 jsonPath: .metadata.creationTimestamp
396 - name: Status
397 type: string
398 jsonPath: .status.conditions[?(@.type=="Ready")].reason
399 deprecated: true
400 schema:
401 openAPIV3Schema:
402 type: object
403 description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
404 properties:
405 apiVersion:
406 type: string
407 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
408 kind:
409 type: string
410 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
411 metadata:
412 type: object
413 spec:
414 type: object
415 description: SecretStoreSpec defines the desired state of SecretStore.
416 properties:
417 controller:
418 type: string
419 description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
420 provider:
421 type: object
422 description: Used to configure the provider. Only one provider may be set
423 maxProperties: 1
424 minProperties: 1
425 properties:
426 akeyless:
427 type: object
428 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
429 properties:
430 akeylessGWApiURL:
431 type: string
432 description: Akeyless GW API Url from which the secrets to be fetched from.
433 authSecretRef:
434 type: object
435 description: Auth configures how the operator authenticates with Akeyless.
436 properties:
437 secretRef:
438 type: object
439 description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
440 properties:
441 accessID:
442 type: object
443 description: The SecretAccessID is used for authentication
444 properties:
445 name:
446 type: string
447 description: The name of the Secret resource being referred to.
448 namespace:
449 type: string
450 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
451 key:
452 type: string
453 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
454 accessType:
455 type: object
456 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
457 properties:
458 name:
459 type: string
460 description: The name of the Secret resource being referred to.
461 namespace:
462 type: string
463 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
464 key:
465 type: string
466 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
467 accessTypeParam:
468 type: object
469 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
470 properties:
471 name:
472 type: string
473 description: The name of the Secret resource being referred to.
474 namespace:
475 type: string
476 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
477 key:
478 type: string
479 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
480 required:
481 - secretRef
482 required:
483 - akeylessGWApiURL
484 - authSecretRef
485 alibaba:
486 type: object
487 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
488 properties:
489 auth:
490 type: object
491 description: AlibabaAuth contains a secretRef for credentials.
492 properties:
493 secretRef:
494 type: object
495 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
496 properties:
497 accessKeyIDSecretRef:
498 type: object
499 description: The AccessKeyID is used for authentication
500 properties:
501 name:
502 type: string
503 description: The name of the Secret resource being referred to.
504 namespace:
505 type: string
506 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
507 key:
508 type: string
509 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
510 accessKeySecretSecretRef:
511 type: object
512 description: The AccessKeySecret is used for authentication
513 properties:
514 name:
515 type: string
516 description: The name of the Secret resource being referred to.
517 namespace:
518 type: string
519 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
520 key:
521 type: string
522 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
523 required:
524 - accessKeyIDSecretRef
525 - accessKeySecretSecretRef
526 required:
527 - secretRef
528 endpoint:
529 type: string
530 regionID:
531 type: string
532 description: Alibaba Region to be used for the provider
533 required:
534 - auth
535 - regionID
536 aws:
537 type: object
538 description: AWS configures this store to sync secrets using AWS Secret Manager provider
539 properties:
540 service:
541 type: string
542 description: Service defines which service should be used to fetch the secrets
543 enum:
544 - SecretsManager
545 - ParameterStore
546 auth:
547 type: object
548 description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
549 properties:
550 secretRef:
551 type: object
552 description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
553 properties:
554 accessKeyIDSecretRef:
555 type: object
556 description: The AccessKeyID is used for authentication
557 properties:
558 name:
559 type: string
560 description: The name of the Secret resource being referred to.
561 namespace:
562 type: string
563 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
564 key:
565 type: string
566 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
567 secretAccessKeySecretRef:
568 type: object
569 description: The SecretAccessKey is used for authentication
570 properties:
571 name:
572 type: string
573 description: The name of the Secret resource being referred to.
574 namespace:
575 type: string
576 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
577 key:
578 type: string
579 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
580 jwt:
581 type: object
582 description: Authenticate against AWS using service account tokens.
583 properties:
584 serviceAccountRef:
585 type: object
586 description: A reference to a ServiceAccount resource.
587 properties:
588 name:
589 type: string
590 description: The name of the ServiceAccount resource being referred to.
591 namespace:
592 type: string
593 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
594 required:
595 - name
596 region:
597 type: string
598 description: AWS Region to be used for the provider
599 role:
600 type: string
601 description: Role is a Role ARN which the SecretManager provider will assume
602 required:
603 - region
604 - service
605 azurekv:
606 type: object
607 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
608 properties:
609 authSecretRef:
610 type: object
611 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
612 properties:
613 clientId:
614 type: object
615 description: The Azure clientId of the service principle used for authentication.
616 properties:
617 name:
618 type: string
619 description: The name of the Secret resource being referred to.
620 namespace:
621 type: string
622 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
623 key:
624 type: string
625 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
626 clientSecret:
627 type: object
628 description: The Azure ClientSecret of the service principle used for authentication.
629 properties:
630 name:
631 type: string
632 description: The name of the Secret resource being referred to.
633 namespace:
634 type: string
635 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
636 key:
637 type: string
638 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
639 authType:
640 type: string
641 default: ServicePrincipal
642 description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
643 enum:
644 - ServicePrincipal
645 - ManagedIdentity
646 - WorkloadIdentity
647 identityId:
648 type: string
649 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
650 serviceAccountRef:
651 type: object
652 description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
653 properties:
654 name:
655 type: string
656 description: The name of the ServiceAccount resource being referred to.
657 namespace:
658 type: string
659 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
660 required:
661 - name
662 tenantId:
663 type: string
664 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
665 vaultUrl:
666 type: string
667 description: Vault Url from which the secrets to be fetched from.
668 required:
669 - vaultUrl
670 fake:
671 type: object
672 description: Fake configures a store with static key/value pairs
673 properties:
674 data:
675 type: array
676 items:
677 type: object
678 properties:
679 value:
680 type: string
681 key:
682 type: string
683 valueMap:
684 type: object
685 additionalProperties:
686 type: string
687 version:
688 type: string
689 required:
690 - key
691 required:
692 - data
693 gcpsm:
694 type: object
695 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
696 properties:
697 auth:
698 type: object
699 description: Auth defines the information necessary to authenticate against GCP
700 properties:
701 secretRef:
702 type: object
703 properties:
704 secretAccessKeySecretRef:
705 type: object
706 description: The SecretAccessKey is used for authentication
707 properties:
708 name:
709 type: string
710 description: The name of the Secret resource being referred to.
711 namespace:
712 type: string
713 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
714 key:
715 type: string
716 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
717 workloadIdentity:
718 type: object
719 properties:
720 clusterName:
721 type: string
722 clusterLocation:
723 type: string
724 clusterProjectID:
725 type: string
726 serviceAccountRef:
727 type: object
728 description: A reference to a ServiceAccount resource.
729 properties:
730 name:
731 type: string
732 description: The name of the ServiceAccount resource being referred to.
733 namespace:
734 type: string
735 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
736 required:
737 - name
738 required:
739 - clusterLocation
740 - clusterName
741 - serviceAccountRef
742 projectID:
743 type: string
744 description: ProjectID project where secret is located
745 gitlab:
746 type: object
747 description: Gitlab configures this store to sync secrets using Gitlab Variables provider
748 properties:
749 auth:
750 type: object
751 description: Auth configures how secret-manager authenticates with a GitLab instance.
752 properties:
753 SecretRef:
754 type: object
755 properties:
756 accessToken:
757 type: object
758 description: AccessToken is used for authentication.
759 properties:
760 name:
761 type: string
762 description: The name of the Secret resource being referred to.
763 namespace:
764 type: string
765 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
766 key:
767 type: string
768 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
769 required:
770 - SecretRef
771 projectID:
772 type: string
773 description: ProjectID specifies a project where secrets are located.
774 url:
775 type: string
776 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
777 required:
778 - auth
779 ibm:
780 type: object
781 description: IBM configures this store to sync secrets using IBM Cloud provider
782 properties:
783 auth:
784 type: object
785 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
786 properties:
787 secretRef:
788 type: object
789 properties:
790 secretApiKeySecretRef:
791 type: object
792 description: The SecretAccessKey is used for authentication
793 properties:
794 name:
795 type: string
796 description: The name of the Secret resource being referred to.
797 namespace:
798 type: string
799 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
800 key:
801 type: string
802 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
803 required:
804 - secretRef
805 serviceUrl:
806 type: string
807 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
808 required:
809 - auth
810 kubernetes:
811 type: object
812 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
813 properties:
814 auth:
815 type: object
816 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
817 maxProperties: 1
818 minProperties: 1
819 properties:
820 serviceAccount:
821 type: object
822 description: points to a service account that should be used for authentication
823 properties:
824 serviceAccount:
825 type: object
826 description: A reference to a ServiceAccount resource.
827 properties:
828 name:
829 type: string
830 description: The name of the ServiceAccount resource being referred to.
831 namespace:
832 type: string
833 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
834 required:
835 - name
836 cert:
837 type: object
838 description: has both clientCert and clientKey as secretKeySelector
839 properties:
840 clientCert:
841 type: object
842 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
843 properties:
844 name:
845 type: string
846 description: The name of the Secret resource being referred to.
847 namespace:
848 type: string
849 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
850 key:
851 type: string
852 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
853 clientKey:
854 type: object
855 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
856 properties:
857 name:
858 type: string
859 description: The name of the Secret resource being referred to.
860 namespace:
861 type: string
862 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
863 key:
864 type: string
865 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
866 token:
867 type: object
868 description: use static token to authenticate with
869 properties:
870 bearerToken:
871 type: object
872 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
873 properties:
874 name:
875 type: string
876 description: The name of the Secret resource being referred to.
877 namespace:
878 type: string
879 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
880 key:
881 type: string
882 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
883 remoteNamespace:
884 type: string
885 default: default
886 description: Remote namespace to fetch the secrets from
887 server:
888 type: object
889 description: configures the Kubernetes server Address.
890 properties:
891 caBundle:
892 type: string
893 description: CABundle is a base64-encoded CA certificate
894 format: byte
895 caProvider:
896 type: object
897 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
898 properties:
899 name:
900 type: string
901 description: The name of the object located at the provider type.
902 namespace:
903 type: string
904 description: The namespace the Provider type is in.
905 type:
906 type: string
907 description: The type of provider to use such as "Secret", or "ConfigMap".
908 enum:
909 - Secret
910 - ConfigMap
911 key:
912 type: string
913 description: The key the value inside of the provider type to use, only used with "Secret" type
914 required:
915 - name
916 - type
917 url:
918 type: string
919 default: kubernetes.default
920 description: configures the Kubernetes server Address.
921 required:
922 - auth
923 oracle:
924 type: object
925 description: Oracle configures this store to sync secrets using Oracle Vault provider
926 properties:
927 auth:
928 type: object
929 description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
930 properties:
931 secretRef:
932 type: object
933 description: SecretRef to pass through sensitive information.
934 properties:
935 fingerprint:
936 type: object
937 description: Fingerprint is the fingerprint of the API private key.
938 properties:
939 name:
940 type: string
941 description: The name of the Secret resource being referred to.
942 namespace:
943 type: string
944 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
945 key:
946 type: string
947 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
948 privatekey:
949 type: object
950 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
951 properties:
952 name:
953 type: string
954 description: The name of the Secret resource being referred to.
955 namespace:
956 type: string
957 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
958 key:
959 type: string
960 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
961 required:
962 - fingerprint
963 - privatekey
964 tenancy:
965 type: string
966 description: Tenancy is the tenancy OCID where user is located.
967 user:
968 type: string
969 description: User is an access OCID specific to the account.
970 required:
971 - secretRef
972 - tenancy
973 - user
974 region:
975 type: string
976 description: Region is the region where vault is located.
977 vault:
978 type: string
979 description: Vault is the vault's OCID of the specific vault where secret is located.
980 required:
981 - region
982 - vault
983 vault:
984 type: object
985 description: Vault configures this store to sync secrets using Hashi provider
986 properties:
987 namespace:
988 type: string
989 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
990 auth:
991 type: object
992 description: Auth configures how secret-manager authenticates with the Vault server.
993 properties:
994 appRole:
995 type: object
996 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
997 properties:
998 secretRef:
999 type: object
1000 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
1001 properties:
1002 name:
1003 type: string
1004 description: The name of the Secret resource being referred to.
1005 namespace:
1006 type: string
1007 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1008 key:
1009 type: string
1010 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1011 path:
1012 type: string
1013 default: approle
1014 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
1015 roleId:
1016 type: string
1017 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
1018 required:
1019 - path
1020 - roleId
1021 - secretRef
1022 cert:
1023 type: object
1024 description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
1025 properties:
1026 secretRef:
1027 type: object
1028 description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
1029 properties:
1030 name:
1031 type: string
1032 description: The name of the Secret resource being referred to.
1033 namespace:
1034 type: string
1035 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1036 key:
1037 type: string
1038 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1039 clientCert:
1040 type: object
1041 description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
1042 properties:
1043 name:
1044 type: string
1045 description: The name of the Secret resource being referred to.
1046 namespace:
1047 type: string
1048 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1049 key:
1050 type: string
1051 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1052 jwt:
1053 type: object
1054 description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
1055 properties:
1056 secretRef:
1057 type: object
1058 description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
1059 properties:
1060 name:
1061 type: string
1062 description: The name of the Secret resource being referred to.
1063 namespace:
1064 type: string
1065 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1066 key:
1067 type: string
1068 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1069 kubernetesServiceAccountToken:
1070 type: object
1071 description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
1072 properties:
1073 audiences:
1074 type: array
1075 description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
1076 items:
1077 type: string
1078 expirationSeconds:
1079 type: integer
1080 description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
1081 format: int64
1082 serviceAccountRef:
1083 type: object
1084 description: Service account field containing the name of a kubernetes ServiceAccount.
1085 properties:
1086 name:
1087 type: string
1088 description: The name of the ServiceAccount resource being referred to.
1089 namespace:
1090 type: string
1091 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1092 required:
1093 - name
1094 required:
1095 - serviceAccountRef
1096 path:
1097 type: string
1098 default: jwt
1099 description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
1100 role:
1101 type: string
1102 description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
1103 required:
1104 - path
1105 kubernetes:
1106 type: object
1107 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
1108 properties:
1109 mountPath:
1110 type: string
1111 default: kubernetes
1112 description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
1113 secretRef:
1114 type: object
1115 description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
1116 properties:
1117 name:
1118 type: string
1119 description: The name of the Secret resource being referred to.
1120 namespace:
1121 type: string
1122 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1123 key:
1124 type: string
1125 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1126 role:
1127 type: string
1128 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
1129 serviceAccountRef:
1130 type: object
1131 description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
1132 properties:
1133 name:
1134 type: string
1135 description: The name of the ServiceAccount resource being referred to.
1136 namespace:
1137 type: string
1138 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1139 required:
1140 - name
1141 required:
1142 - mountPath
1143 - role
1144 ldap:
1145 type: object
1146 description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
1147 properties:
1148 secretRef:
1149 type: object
1150 description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
1151 properties:
1152 name:
1153 type: string
1154 description: The name of the Secret resource being referred to.
1155 namespace:
1156 type: string
1157 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1158 key:
1159 type: string
1160 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1161 path:
1162 type: string
1163 default: ldap
1164 description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
1165 username:
1166 type: string
1167 description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
1168 required:
1169 - path
1170 - username
1171 tokenSecretRef:
1172 type: object
1173 description: TokenSecretRef authenticates with Vault by presenting a token.
1174 properties:
1175 name:
1176 type: string
1177 description: The name of the Secret resource being referred to.
1178 namespace:
1179 type: string
1180 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1181 key:
1182 type: string
1183 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1184 caBundle:
1185 type: string
1186 description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
1187 format: byte
1188 caProvider:
1189 type: object
1190 description: The provider for the CA bundle to use to validate Vault server certificate.
1191 properties:
1192 name:
1193 type: string
1194 description: The name of the object located at the provider type.
1195 namespace:
1196 type: string
1197 description: The namespace the Provider type is in.
1198 type:
1199 type: string
1200 description: The type of provider to use such as "Secret", or "ConfigMap".
1201 enum:
1202 - Secret
1203 - ConfigMap
1204 key:
1205 type: string
1206 description: The key the value inside of the provider type to use, only used with "Secret" type
1207 required:
1208 - name
1209 - type
1210 forwardInconsistent:
1211 type: boolean
1212 description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
1213 path:
1214 type: string
1215 description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
1216 readYourWrites:
1217 type: boolean
1218 description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
1219 server:
1220 type: string
1221 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
1222 version:
1223 type: string
1224 default: v2
1225 description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
1226 enum:
1227 - v1
1228 - v2
1229 required:
1230 - auth
1231 - server
1232 webhook:
1233 type: object
1234 description: Webhook configures this store to sync secrets using a generic templated webhook
1235 properties:
1236 body:
1237 type: string
1238 description: Body
1239 caBundle:
1240 type: string
1241 description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
1242 format: byte
1243 caProvider:
1244 type: object
1245 description: The provider for the CA bundle to use to validate webhook server certificate.
1246 properties:
1247 name:
1248 type: string
1249 description: The name of the object located at the provider type.
1250 namespace:
1251 type: string
1252 description: The namespace the Provider type is in.
1253 type:
1254 type: string
1255 description: The type of provider to use such as "Secret", or "ConfigMap".
1256 enum:
1257 - Secret
1258 - ConfigMap
1259 key:
1260 type: string
1261 description: The key the value inside of the provider type to use, only used with "Secret" type
1262 required:
1263 - name
1264 - type
1265 headers:
1266 type: object
1267 additionalProperties:
1268 type: string
1269 description: Headers
1270 method:
1271 type: string
1272 description: Webhook Method
1273 result:
1274 type: object
1275 description: Result formatting
1276 properties:
1277 jsonPath:
1278 type: string
1279 description: Json path of return value
1280 secrets:
1281 type: array
1282 description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
1283 items:
1284 type: object
1285 properties:
1286 name:
1287 type: string
1288 description: Name of this secret in templates
1289 secretRef:
1290 type: object
1291 description: Secret ref to fill in credentials
1292 properties:
1293 name:
1294 type: string
1295 description: The name of the Secret resource being referred to.
1296 namespace:
1297 type: string
1298 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1299 key:
1300 type: string
1301 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1302 required:
1303 - name
1304 - secretRef
1305 timeout:
1306 type: string
1307 description: Timeout
1308 url:
1309 type: string
1310 description: Webhook url to call
1311 required:
1312 - result
1313 - url
1314 yandexlockbox:
1315 type: object
1316 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
1317 properties:
1318 apiEndpoint:
1319 type: string
1320 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
1321 auth:
1322 type: object
1323 description: Auth defines the information necessary to authenticate against Yandex Lockbox
1324 properties:
1325 authorizedKeySecretRef:
1326 type: object
1327 description: The authorized key used for authentication
1328 properties:
1329 name:
1330 type: string
1331 description: The name of the Secret resource being referred to.
1332 namespace:
1333 type: string
1334 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1335 key:
1336 type: string
1337 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1338 caProvider:
1339 type: object
1340 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
1341 properties:
1342 certSecretRef:
1343 type: object
1344 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
1345 properties:
1346 name:
1347 type: string
1348 description: The name of the Secret resource being referred to.
1349 namespace:
1350 type: string
1351 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1352 key:
1353 type: string
1354 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1355 required:
1356 - auth
1357 retrySettings:
1358 type: object
1359 description: Used to configure http retries if failed
1360 properties:
1361 maxRetries:
1362 type: integer
1363 format: int32
1364 retryInterval:
1365 type: string
1366 required:
1367 - provider
1368 status:
1369 type: object
1370 description: SecretStoreStatus defines the observed state of the SecretStore.
1371 properties:
1372 conditions:
1373 type: array
1374 items:
1375 type: object
1376 properties:
1377 type:
1378 type: string
1379 status:
1380 type: string
1381 lastTransitionTime:
1382 type: string
1383 format: date-time
1384 message:
1385 type: string
1386 reason:
1387 type: string
1388 required:
1389 - status
1390 - type
1391 served: true
1392 storage: false
1393 subresources:
1394 status: {}
1395 - name: v1beta1
1396 additionalPrinterColumns:
1397 - name: AGE
1398 type: date
1399 jsonPath: .metadata.creationTimestamp
1400 schema:
1401 openAPIV3Schema:
1402 type: object
1403 description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
1404 properties:
1405 apiVersion:
1406 type: string
1407 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1408 kind:
1409 type: string
1410 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1411 metadata:
1412 type: object
1413 spec:
1414 type: object
1415 description: SecretStoreSpec defines the desired state of SecretStore.
1416 properties:
1417 controller:
1418 type: string
1419 description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
1420 provider:
1421 type: object
1422 description: Used to configure the provider. Only one provider may be set
1423 maxProperties: 1
1424 minProperties: 1
1425 properties:
1426 akeyless:
1427 type: object
1428 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
1429 properties:
1430 akeylessGWApiURL:
1431 type: string
1432 description: Akeyless GW API Url from which the secrets to be fetched from.
1433 authSecretRef:
1434 type: object
1435 description: Auth configures how the operator authenticates with Akeyless.
1436 properties:
1437 secretRef:
1438 type: object
1439 description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
1440 properties:
1441 accessID:
1442 type: object
1443 description: The SecretAccessID is used for authentication
1444 properties:
1445 name:
1446 type: string
1447 description: The name of the Secret resource being referred to.
1448 namespace:
1449 type: string
1450 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1451 key:
1452 type: string
1453 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1454 accessType:
1455 type: object
1456 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
1457 properties:
1458 name:
1459 type: string
1460 description: The name of the Secret resource being referred to.
1461 namespace:
1462 type: string
1463 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1464 key:
1465 type: string
1466 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1467 accessTypeParam:
1468 type: object
1469 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
1470 properties:
1471 name:
1472 type: string
1473 description: The name of the Secret resource being referred to.
1474 namespace:
1475 type: string
1476 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1477 key:
1478 type: string
1479 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1480 required:
1481 - secretRef
1482 required:
1483 - akeylessGWApiURL
1484 - authSecretRef
1485 alibaba:
1486 type: object
1487 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
1488 properties:
1489 auth:
1490 type: object
1491 description: AlibabaAuth contains a secretRef for credentials.
1492 properties:
1493 secretRef:
1494 type: object
1495 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
1496 properties:
1497 accessKeyIDSecretRef:
1498 type: object
1499 description: The AccessKeyID is used for authentication
1500 properties:
1501 name:
1502 type: string
1503 description: The name of the Secret resource being referred to.
1504 namespace:
1505 type: string
1506 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1507 key:
1508 type: string
1509 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1510 accessKeySecretSecretRef:
1511 type: object
1512 description: The AccessKeySecret is used for authentication
1513 properties:
1514 name:
1515 type: string
1516 description: The name of the Secret resource being referred to.
1517 namespace:
1518 type: string
1519 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1520 key:
1521 type: string
1522 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1523 required:
1524 - accessKeyIDSecretRef
1525 - accessKeySecretSecretRef
1526 required:
1527 - secretRef
1528 endpoint:
1529 type: string
1530 regionID:
1531 type: string
1532 description: Alibaba Region to be used for the provider
1533 required:
1534 - auth
1535 - regionID
1536 aws:
1537 type: object
1538 description: AWS configures this store to sync secrets using AWS Secret Manager provider
1539 properties:
1540 service:
1541 type: string
1542 description: Service defines which service should be used to fetch the secrets
1543 enum:
1544 - SecretsManager
1545 - ParameterStore
1546 auth:
1547 type: object
1548 description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
1549 properties:
1550 secretRef:
1551 type: object
1552 description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
1553 properties:
1554 accessKeyIDSecretRef:
1555 type: object
1556 description: The AccessKeyID is used for authentication
1557 properties:
1558 name:
1559 type: string
1560 description: The name of the Secret resource being referred to.
1561 namespace:
1562 type: string
1563 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1564 key:
1565 type: string
1566 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1567 secretAccessKeySecretRef:
1568 type: object
1569 description: The SecretAccessKey is used for authentication
1570 properties:
1571 name:
1572 type: string
1573 description: The name of the Secret resource being referred to.
1574 namespace:
1575 type: string
1576 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1577 key:
1578 type: string
1579 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1580 jwt:
1581 type: object
1582 description: Authenticate against AWS using service account tokens.
1583 properties:
1584 serviceAccountRef:
1585 type: object
1586 description: A reference to a ServiceAccount resource.
1587 properties:
1588 name:
1589 type: string
1590 description: The name of the ServiceAccount resource being referred to.
1591 namespace:
1592 type: string
1593 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1594 required:
1595 - name
1596 region:
1597 type: string
1598 description: AWS Region to be used for the provider
1599 role:
1600 type: string
1601 description: Role is a Role ARN which the SecretManager provider will assume
1602 required:
1603 - region
1604 - service
1605 azurekv:
1606 type: object
1607 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
1608 properties:
1609 authSecretRef:
1610 type: object
1611 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
1612 properties:
1613 clientId:
1614 type: object
1615 description: The Azure clientId of the service principle used for authentication.
1616 properties:
1617 name:
1618 type: string
1619 description: The name of the Secret resource being referred to.
1620 namespace:
1621 type: string
1622 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1623 key:
1624 type: string
1625 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1626 clientSecret:
1627 type: object
1628 description: The Azure ClientSecret of the service principle used for authentication.
1629 properties:
1630 name:
1631 type: string
1632 description: The name of the Secret resource being referred to.
1633 namespace:
1634 type: string
1635 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1636 key:
1637 type: string
1638 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1639 authType:
1640 type: string
1641 default: ServicePrincipal
1642 description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
1643 enum:
1644 - ServicePrincipal
1645 - ManagedIdentity
1646 - WorkloadIdentity
1647 identityId:
1648 type: string
1649 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
1650 serviceAccountRef:
1651 type: object
1652 description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
1653 properties:
1654 name:
1655 type: string
1656 description: The name of the ServiceAccount resource being referred to.
1657 namespace:
1658 type: string
1659 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1660 required:
1661 - name
1662 tenantId:
1663 type: string
1664 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
1665 vaultUrl:
1666 type: string
1667 description: Vault Url from which the secrets to be fetched from.
1668 required:
1669 - vaultUrl
1670 fake:
1671 type: object
1672 description: Fake configures a store with static key/value pairs
1673 properties:
1674 data:
1675 type: array
1676 items:
1677 type: object
1678 properties:
1679 value:
1680 type: string
1681 key:
1682 type: string
1683 valueMap:
1684 type: object
1685 additionalProperties:
1686 type: string
1687 version:
1688 type: string
1689 required:
1690 - key
1691 required:
1692 - data
1693 gcpsm:
1694 type: object
1695 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
1696 properties:
1697 auth:
1698 type: object
1699 description: Auth defines the information necessary to authenticate against GCP
1700 properties:
1701 secretRef:
1702 type: object
1703 properties:
1704 secretAccessKeySecretRef:
1705 type: object
1706 description: The SecretAccessKey is used for authentication
1707 properties:
1708 name:
1709 type: string
1710 description: The name of the Secret resource being referred to.
1711 namespace:
1712 type: string
1713 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1714 key:
1715 type: string
1716 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1717 workloadIdentity:
1718 type: object
1719 properties:
1720 clusterName:
1721 type: string
1722 clusterLocation:
1723 type: string
1724 clusterProjectID:
1725 type: string
1726 serviceAccountRef:
1727 type: object
1728 description: A reference to a ServiceAccount resource.
1729 properties:
1730 name:
1731 type: string
1732 description: The name of the ServiceAccount resource being referred to.
1733 namespace:
1734 type: string
1735 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1736 required:
1737 - name
1738 required:
1739 - clusterLocation
1740 - clusterName
1741 - serviceAccountRef
1742 projectID:
1743 type: string
1744 description: ProjectID project where secret is located
1745 gitlab:
1746 type: object
1747 description: Gitlab configures this store to sync secrets using Gitlab Variables provider
1748 properties:
1749 auth:
1750 type: object
1751 description: Auth configures how secret-manager authenticates with a GitLab instance.
1752 properties:
1753 SecretRef:
1754 type: object
1755 properties:
1756 accessToken:
1757 type: object
1758 description: AccessToken is used for authentication.
1759 properties:
1760 name:
1761 type: string
1762 description: The name of the Secret resource being referred to.
1763 namespace:
1764 type: string
1765 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1766 key:
1767 type: string
1768 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1769 required:
1770 - SecretRef
1771 projectID:
1772 type: string
1773 description: ProjectID specifies a project where secrets are located.
1774 url:
1775 type: string
1776 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
1777 required:
1778 - auth
1779 ibm:
1780 type: object
1781 description: IBM configures this store to sync secrets using IBM Cloud provider
1782 properties:
1783 auth:
1784 type: object
1785 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
1786 properties:
1787 secretRef:
1788 type: object
1789 properties:
1790 secretApiKeySecretRef:
1791 type: object
1792 description: The SecretAccessKey is used for authentication
1793 properties:
1794 name:
1795 type: string
1796 description: The name of the Secret resource being referred to.
1797 namespace:
1798 type: string
1799 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1800 key:
1801 type: string
1802 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1803 required:
1804 - secretRef
1805 serviceUrl:
1806 type: string
1807 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
1808 required:
1809 - auth
1810 kubernetes:
1811 type: object
1812 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
1813 properties:
1814 auth:
1815 type: object
1816 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
1817 maxProperties: 1
1818 minProperties: 1
1819 properties:
1820 serviceAccount:
1821 type: object
1822 description: points to a service account that should be used for authentication
1823 properties:
1824 serviceAccount:
1825 type: object
1826 description: A reference to a ServiceAccount resource.
1827 properties:
1828 name:
1829 type: string
1830 description: The name of the ServiceAccount resource being referred to.
1831 namespace:
1832 type: string
1833 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1834 required:
1835 - name
1836 cert:
1837 type: object
1838 description: has both clientCert and clientKey as secretKeySelector
1839 properties:
1840 clientCert:
1841 type: object
1842 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
1843 properties:
1844 name:
1845 type: string
1846 description: The name of the Secret resource being referred to.
1847 namespace:
1848 type: string
1849 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1850 key:
1851 type: string
1852 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1853 clientKey:
1854 type: object
1855 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
1856 properties:
1857 name:
1858 type: string
1859 description: The name of the Secret resource being referred to.
1860 namespace:
1861 type: string
1862 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1863 key:
1864 type: string
1865 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1866 token:
1867 type: object
1868 description: use static token to authenticate with
1869 properties:
1870 bearerToken:
1871 type: object
1872 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
1873 properties:
1874 name:
1875 type: string
1876 description: The name of the Secret resource being referred to.
1877 namespace:
1878 type: string
1879 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1880 key:
1881 type: string
1882 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1883 remoteNamespace:
1884 type: string
1885 default: default
1886 description: Remote namespace to fetch the secrets from
1887 server:
1888 type: object
1889 description: configures the Kubernetes server Address.
1890 properties:
1891 caBundle:
1892 type: string
1893 description: CABundle is a base64-encoded CA certificate
1894 format: byte
1895 caProvider:
1896 type: object
1897 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
1898 properties:
1899 name:
1900 type: string
1901 description: The name of the object located at the provider type.
1902 namespace:
1903 type: string
1904 description: The namespace the Provider type is in.
1905 type:
1906 type: string
1907 description: The type of provider to use such as "Secret", or "ConfigMap".
1908 enum:
1909 - Secret
1910 - ConfigMap
1911 key:
1912 type: string
1913 description: The key the value inside of the provider type to use, only used with "Secret" type
1914 required:
1915 - name
1916 - type
1917 url:
1918 type: string
1919 default: kubernetes.default
1920 description: configures the Kubernetes server Address.
1921 required:
1922 - auth
1923 onepassword:
1924 type: object
1925 description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
1926 properties:
1927 auth:
1928 type: object
1929 description: Auth defines the information necessary to authenticate against OnePassword Connect Server
1930 properties:
1931 secretRef:
1932 type: object
1933 description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
1934 properties:
1935 connectTokenSecretRef:
1936 type: object
1937 description: The ConnectToken is used for authentication to a 1Password Connect Server.
1938 properties:
1939 name:
1940 type: string
1941 description: The name of the Secret resource being referred to.
1942 namespace:
1943 type: string
1944 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1945 key:
1946 type: string
1947 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1948 required:
1949 - connectTokenSecretRef
1950 required:
1951 - secretRef
1952 connectHost:
1953 type: string
1954 description: ConnectHost defines the OnePassword Connect Server to connect to
1955 vaults:
1956 type: object
1957 additionalProperties:
1958 type: integer
1959 description: Vaults defines which OnePassword vaults to search in which order
1960 required:
1961 - auth
1962 - connectHost
1963 - vaults
1964 oracle:
1965 type: object
1966 description: Oracle configures this store to sync secrets using Oracle Vault provider
1967 properties:
1968 auth:
1969 type: object
1970 description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
1971 properties:
1972 secretRef:
1973 type: object
1974 description: SecretRef to pass through sensitive information.
1975 properties:
1976 fingerprint:
1977 type: object
1978 description: Fingerprint is the fingerprint of the API private key.
1979 properties:
1980 name:
1981 type: string
1982 description: The name of the Secret resource being referred to.
1983 namespace:
1984 type: string
1985 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1986 key:
1987 type: string
1988 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1989 privatekey:
1990 type: object
1991 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
1992 properties:
1993 name:
1994 type: string
1995 description: The name of the Secret resource being referred to.
1996 namespace:
1997 type: string
1998 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
1999 key:
2000 type: string
2001 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2002 required:
2003 - fingerprint
2004 - privatekey
2005 tenancy:
2006 type: string
2007 description: Tenancy is the tenancy OCID where user is located.
2008 user:
2009 type: string
2010 description: User is an access OCID specific to the account.
2011 required:
2012 - secretRef
2013 - tenancy
2014 - user
2015 region:
2016 type: string
2017 description: Region is the region where vault is located.
2018 vault:
2019 type: string
2020 description: Vault is the vault's OCID of the specific vault where secret is located.
2021 required:
2022 - region
2023 - vault
2024 senhasegura:
2025 type: object
2026 description: Senhasegura configures this store to sync secrets using senhasegura provider
2027 properties:
2028 auth:
2029 type: object
2030 description: Auth defines parameters to authenticate in senhasegura
2031 properties:
2032 clientId:
2033 type: string
2034 clientSecretSecretRef:
2035 type: object
2036 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
2037 properties:
2038 name:
2039 type: string
2040 description: The name of the Secret resource being referred to.
2041 namespace:
2042 type: string
2043 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2044 key:
2045 type: string
2046 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2047 required:
2048 - clientId
2049 - clientSecretSecretRef
2050 ignoreSslCertificate:
2051 type: boolean
2052 default: false
2053 description: IgnoreSslCertificate defines if SSL certificate must be ignored
2054 module:
2055 type: string
2056 description: Module defines which senhasegura module should be used to get secrets
2057 url:
2058 type: string
2059 description: URL of senhasegura
2060 required:
2061 - auth
2062 - module
2063 - url
2064 vault:
2065 type: object
2066 description: Vault configures this store to sync secrets using Hashi provider
2067 properties:
2068 namespace:
2069 type: string
2070 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
2071 auth:
2072 type: object
2073 description: Auth configures how secret-manager authenticates with the Vault server.
2074 properties:
2075 appRole:
2076 type: object
2077 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
2078 properties:
2079 secretRef:
2080 type: object
2081 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
2082 properties:
2083 name:
2084 type: string
2085 description: The name of the Secret resource being referred to.
2086 namespace:
2087 type: string
2088 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2089 key:
2090 type: string
2091 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2092 path:
2093 type: string
2094 default: approle
2095 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
2096 roleId:
2097 type: string
2098 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
2099 required:
2100 - path
2101 - roleId
2102 - secretRef
2103 cert:
2104 type: object
2105 description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
2106 properties:
2107 secretRef:
2108 type: object
2109 description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
2110 properties:
2111 name:
2112 type: string
2113 description: The name of the Secret resource being referred to.
2114 namespace:
2115 type: string
2116 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2117 key:
2118 type: string
2119 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2120 clientCert:
2121 type: object
2122 description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
2123 properties:
2124 name:
2125 type: string
2126 description: The name of the Secret resource being referred to.
2127 namespace:
2128 type: string
2129 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2130 key:
2131 type: string
2132 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2133 jwt:
2134 type: object
2135 description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
2136 properties:
2137 secretRef:
2138 type: object
2139 description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
2140 properties:
2141 name:
2142 type: string
2143 description: The name of the Secret resource being referred to.
2144 namespace:
2145 type: string
2146 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2147 key:
2148 type: string
2149 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2150 kubernetesServiceAccountToken:
2151 type: object
2152 description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
2153 properties:
2154 audiences:
2155 type: array
2156 description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
2157 items:
2158 type: string
2159 expirationSeconds:
2160 type: integer
2161 description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
2162 format: int64
2163 serviceAccountRef:
2164 type: object
2165 description: Service account field containing the name of a kubernetes ServiceAccount.
2166 properties:
2167 name:
2168 type: string
2169 description: The name of the ServiceAccount resource being referred to.
2170 namespace:
2171 type: string
2172 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2173 required:
2174 - name
2175 required:
2176 - serviceAccountRef
2177 path:
2178 type: string
2179 default: jwt
2180 description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
2181 role:
2182 type: string
2183 description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
2184 required:
2185 - path
2186 kubernetes:
2187 type: object
2188 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
2189 properties:
2190 mountPath:
2191 type: string
2192 default: kubernetes
2193 description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
2194 secretRef:
2195 type: object
2196 description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
2197 properties:
2198 name:
2199 type: string
2200 description: The name of the Secret resource being referred to.
2201 namespace:
2202 type: string
2203 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2204 key:
2205 type: string
2206 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2207 role:
2208 type: string
2209 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
2210 serviceAccountRef:
2211 type: object
2212 description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
2213 properties:
2214 name:
2215 type: string
2216 description: The name of the ServiceAccount resource being referred to.
2217 namespace:
2218 type: string
2219 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2220 required:
2221 - name
2222 required:
2223 - mountPath
2224 - role
2225 ldap:
2226 type: object
2227 description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
2228 properties:
2229 secretRef:
2230 type: object
2231 description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
2232 properties:
2233 name:
2234 type: string
2235 description: The name of the Secret resource being referred to.
2236 namespace:
2237 type: string
2238 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2239 key:
2240 type: string
2241 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2242 path:
2243 type: string
2244 default: ldap
2245 description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
2246 username:
2247 type: string
2248 description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
2249 required:
2250 - path
2251 - username
2252 tokenSecretRef:
2253 type: object
2254 description: TokenSecretRef authenticates with Vault by presenting a token.
2255 properties:
2256 name:
2257 type: string
2258 description: The name of the Secret resource being referred to.
2259 namespace:
2260 type: string
2261 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2262 key:
2263 type: string
2264 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2265 caBundle:
2266 type: string
2267 description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
2268 format: byte
2269 caProvider:
2270 type: object
2271 description: The provider for the CA bundle to use to validate Vault server certificate.
2272 properties:
2273 name:
2274 type: string
2275 description: The name of the object located at the provider type.
2276 namespace:
2277 type: string
2278 description: The namespace the Provider type is in.
2279 type:
2280 type: string
2281 description: The type of provider to use such as "Secret", or "ConfigMap".
2282 enum:
2283 - Secret
2284 - ConfigMap
2285 key:
2286 type: string
2287 description: The key the value inside of the provider type to use, only used with "Secret" type
2288 required:
2289 - name
2290 - type
2291 forwardInconsistent:
2292 type: boolean
2293 description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
2294 path:
2295 type: string
2296 description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
2297 readYourWrites:
2298 type: boolean
2299 description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
2300 server:
2301 type: string
2302 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
2303 version:
2304 type: string
2305 default: v2
2306 description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
2307 enum:
2308 - v1
2309 - v2
2310 required:
2311 - auth
2312 - server
2313 webhook:
2314 type: object
2315 description: Webhook configures this store to sync secrets using a generic templated webhook
2316 properties:
2317 body:
2318 type: string
2319 description: Body
2320 caBundle:
2321 type: string
2322 description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
2323 format: byte
2324 caProvider:
2325 type: object
2326 description: The provider for the CA bundle to use to validate webhook server certificate.
2327 properties:
2328 name:
2329 type: string
2330 description: The name of the object located at the provider type.
2331 namespace:
2332 type: string
2333 description: The namespace the Provider type is in.
2334 type:
2335 type: string
2336 description: The type of provider to use such as "Secret", or "ConfigMap".
2337 enum:
2338 - Secret
2339 - ConfigMap
2340 key:
2341 type: string
2342 description: The key the value inside of the provider type to use, only used with "Secret" type
2343 required:
2344 - name
2345 - type
2346 headers:
2347 type: object
2348 additionalProperties:
2349 type: string
2350 description: Headers
2351 method:
2352 type: string
2353 description: Webhook Method
2354 result:
2355 type: object
2356 description: Result formatting
2357 properties:
2358 jsonPath:
2359 type: string
2360 description: Json path of return value
2361 secrets:
2362 type: array
2363 description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
2364 items:
2365 type: object
2366 properties:
2367 name:
2368 type: string
2369 description: Name of this secret in templates
2370 secretRef:
2371 type: object
2372 description: Secret ref to fill in credentials
2373 properties:
2374 name:
2375 type: string
2376 description: The name of the Secret resource being referred to.
2377 namespace:
2378 type: string
2379 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2380 key:
2381 type: string
2382 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2383 required:
2384 - name
2385 - secretRef
2386 timeout:
2387 type: string
2388 description: Timeout
2389 url:
2390 type: string
2391 description: Webhook url to call
2392 required:
2393 - result
2394 - url
2395 yandexcertificatemanager:
2396 type: object
2397 description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
2398 properties:
2399 apiEndpoint:
2400 type: string
2401 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
2402 auth:
2403 type: object
2404 description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
2405 properties:
2406 authorizedKeySecretRef:
2407 type: object
2408 description: The authorized key used for authentication
2409 properties:
2410 name:
2411 type: string
2412 description: The name of the Secret resource being referred to.
2413 namespace:
2414 type: string
2415 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2416 key:
2417 type: string
2418 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2419 caProvider:
2420 type: object
2421 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
2422 properties:
2423 certSecretRef:
2424 type: object
2425 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
2426 properties:
2427 name:
2428 type: string
2429 description: The name of the Secret resource being referred to.
2430 namespace:
2431 type: string
2432 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2433 key:
2434 type: string
2435 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2436 required:
2437 - auth
2438 yandexlockbox:
2439 type: object
2440 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
2441 properties:
2442 apiEndpoint:
2443 type: string
2444 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
2445 auth:
2446 type: object
2447 description: Auth defines the information necessary to authenticate against Yandex Lockbox
2448 properties:
2449 authorizedKeySecretRef:
2450 type: object
2451 description: The authorized key used for authentication
2452 properties:
2453 name:
2454 type: string
2455 description: The name of the Secret resource being referred to.
2456 namespace:
2457 type: string
2458 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2459 key:
2460 type: string
2461 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2462 caProvider:
2463 type: object
2464 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
2465 properties:
2466 certSecretRef:
2467 type: object
2468 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
2469 properties:
2470 name:
2471 type: string
2472 description: The name of the Secret resource being referred to.
2473 namespace:
2474 type: string
2475 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
2476 key:
2477 type: string
2478 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2479 required:
2480 - auth
2481 refreshInterval:
2482 type: integer
2483 description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
2484 retrySettings:
2485 type: object
2486 description: Used to configure http retries if failed
2487 properties:
2488 maxRetries:
2489 type: integer
2490 format: int32
2491 retryInterval:
2492 type: string
2493 required:
2494 - provider
2495 status:
2496 type: object
2497 description: SecretStoreStatus defines the observed state of the SecretStore.
2498 properties:
2499 conditions:
2500 type: array
2501 items:
2502 type: object
2503 properties:
2504 type:
2505 type: string
2506 status:
2507 type: string
2508 lastTransitionTime:
2509 type: string
2510 format: date-time
2511 message:
2512 type: string
2513 reason:
2514 type: string
2515 required:
2516 - status
2517 - type
2518 served: true
2519 storage: true
2520 subresources:
2521 status: {}
2522---
2523# Source: external-secrets/templates/crds/externalsecret.yaml
2524apiVersion: apiextensions.k8s.io/v1
2525kind: CustomResourceDefinition
2526metadata:
2527 name: externalsecrets.external-secrets.io
2528 annotations:
2529 controller-gen.kubebuilder.io/version: v0.9.0
2530 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
2531 pallet.edge.ncr.com/name: external-secrets-operator
2532 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
2533 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
2534 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
2535 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
2536 labels: {}
2537spec:
2538 conversion:
2539 strategy: Webhook
2540 webhook:
2541 clientConfig:
2542 service:
2543 name: kexternal-secrets-webhook
2544 namespace: "external-secrets"
2545 path: /convert
2546 conversionReviewVersions:
2547 - v1
2548 group: external-secrets.io
2549 names:
2550 kind: ExternalSecret
2551 categories:
2552 - externalsecrets
2553 listKind: ExternalSecretList
2554 plural: externalsecrets
2555 shortNames:
2556 - es
2557 singular: externalsecret
2558 scope: Namespaced
2559 versions:
2560 - name: v1alpha1
2561 additionalPrinterColumns:
2562 - name: Store
2563 type: string
2564 jsonPath: .spec.secretStoreRef.name
2565 - name: Refresh Interval
2566 type: string
2567 jsonPath: .spec.refreshInterval
2568 - name: Status
2569 type: string
2570 jsonPath: .status.conditions[?(@.type=="Ready")].reason
2571 deprecated: true
2572 schema:
2573 openAPIV3Schema:
2574 type: object
2575 description: ExternalSecret is the Schema for the external-secrets API.
2576 properties:
2577 apiVersion:
2578 type: string
2579 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2580 kind:
2581 type: string
2582 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2583 metadata:
2584 type: object
2585 spec:
2586 type: object
2587 description: ExternalSecretSpec defines the desired state of ExternalSecret.
2588 properties:
2589 data:
2590 type: array
2591 description: Data defines the connection between the Kubernetes Secret keys and the Provider data
2592 items:
2593 type: object
2594 description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
2595 properties:
2596 remoteRef:
2597 type: object
2598 description: ExternalSecretDataRemoteRef defines Provider data location.
2599 properties:
2600 conversionStrategy:
2601 type: string
2602 default: Default
2603 description: Used to define a conversion Strategy
2604 key:
2605 type: string
2606 description: Key is the key used in the Provider, mandatory
2607 property:
2608 type: string
2609 description: Used to select a specific property of the Provider value (if a map), if supported
2610 version:
2611 type: string
2612 description: Used to select a specific version of the Provider value, if supported
2613 required:
2614 - key
2615 secretKey:
2616 type: string
2617 required:
2618 - remoteRef
2619 - secretKey
2620 dataFrom:
2621 type: array
2622 description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
2623 items:
2624 type: object
2625 description: ExternalSecretDataRemoteRef defines Provider data location.
2626 properties:
2627 conversionStrategy:
2628 type: string
2629 default: Default
2630 description: Used to define a conversion Strategy
2631 key:
2632 type: string
2633 description: Key is the key used in the Provider, mandatory
2634 property:
2635 type: string
2636 description: Used to select a specific property of the Provider value (if a map), if supported
2637 version:
2638 type: string
2639 description: Used to select a specific version of the Provider value, if supported
2640 required:
2641 - key
2642 refreshInterval:
2643 type: string
2644 default: 1h
2645 description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
2646 secretStoreRef:
2647 type: object
2648 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
2649 properties:
2650 name:
2651 type: string
2652 description: Name of the SecretStore resource
2653 kind:
2654 type: string
2655 description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
2656 required:
2657 - name
2658 target:
2659 type: object
2660 description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
2661 properties:
2662 name:
2663 type: string
2664 description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
2665 template:
2666 type: object
2667 description: Template defines a blueprint for the created Secret resource.
2668 properties:
2669 metadata:
2670 type: object
2671 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
2672 properties:
2673 labels:
2674 type: object
2675 additionalProperties:
2676 type: string
2677 annotations:
2678 type: object
2679 additionalProperties:
2680 type: string
2681 type:
2682 type: string
2683 data:
2684 type: object
2685 additionalProperties:
2686 type: string
2687 engineVersion:
2688 type: string
2689 default: v1
2690 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
2691 templateFrom:
2692 type: array
2693 items:
2694 type: object
2695 maxProperties: 1
2696 minProperties: 1
2697 properties:
2698 configMap:
2699 type: object
2700 properties:
2701 name:
2702 type: string
2703 items:
2704 type: array
2705 items:
2706 type: object
2707 properties:
2708 key:
2709 type: string
2710 required:
2711 - key
2712 required:
2713 - items
2714 - name
2715 secret:
2716 type: object
2717 properties:
2718 name:
2719 type: string
2720 items:
2721 type: array
2722 items:
2723 type: object
2724 properties:
2725 key:
2726 type: string
2727 required:
2728 - key
2729 required:
2730 - items
2731 - name
2732 creationPolicy:
2733 type: string
2734 default: Owner
2735 description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
2736 immutable:
2737 type: boolean
2738 description: Immutable defines if the final secret will be immutable
2739 required:
2740 - secretStoreRef
2741 - target
2742 status:
2743 type: object
2744 properties:
2745 conditions:
2746 type: array
2747 items:
2748 type: object
2749 properties:
2750 type:
2751 type: string
2752 status:
2753 type: string
2754 lastTransitionTime:
2755 type: string
2756 format: date-time
2757 message:
2758 type: string
2759 reason:
2760 type: string
2761 required:
2762 - status
2763 - type
2764 refreshTime:
2765 type: string
2766 description: refreshTime is the time and date the external secret was fetched and the target secret updated
2767 format: date-time
2768 nullable: true
2769 syncedResourceVersion:
2770 type: string
2771 description: SyncedResourceVersion keeps track of the last synced version
2772 served: true
2773 storage: false
2774 subresources:
2775 status: {}
2776 - name: v1beta1
2777 additionalPrinterColumns:
2778 - name: Store
2779 type: string
2780 jsonPath: .spec.secretStoreRef.name
2781 - name: Refresh Interval
2782 type: string
2783 jsonPath: .spec.refreshInterval
2784 - name: Status
2785 type: string
2786 jsonPath: .status.conditions[?(@.type=="Ready")].reason
2787 schema:
2788 openAPIV3Schema:
2789 type: object
2790 description: ExternalSecret is the Schema for the external-secrets API.
2791 properties:
2792 apiVersion:
2793 type: string
2794 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2795 kind:
2796 type: string
2797 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2798 metadata:
2799 type: object
2800 spec:
2801 type: object
2802 description: ExternalSecretSpec defines the desired state of ExternalSecret.
2803 properties:
2804 data:
2805 type: array
2806 description: Data defines the connection between the Kubernetes Secret keys and the Provider data
2807 items:
2808 type: object
2809 description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
2810 properties:
2811 remoteRef:
2812 type: object
2813 description: ExternalSecretDataRemoteRef defines Provider data location.
2814 properties:
2815 conversionStrategy:
2816 type: string
2817 default: Default
2818 description: Used to define a conversion Strategy
2819 key:
2820 type: string
2821 description: Key is the key used in the Provider, mandatory
2822 metadataPolicy:
2823 type: string
2824 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
2825 property:
2826 type: string
2827 description: Used to select a specific property of the Provider value (if a map), if supported
2828 version:
2829 type: string
2830 description: Used to select a specific version of the Provider value, if supported
2831 required:
2832 - key
2833 secretKey:
2834 type: string
2835 required:
2836 - remoteRef
2837 - secretKey
2838 dataFrom:
2839 type: array
2840 description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
2841 items:
2842 type: object
2843 maxProperties: 1
2844 minProperties: 1
2845 properties:
2846 extract:
2847 type: object
2848 description: Used to extract multiple key/value pairs from one secret
2849 properties:
2850 conversionStrategy:
2851 type: string
2852 default: Default
2853 description: Used to define a conversion Strategy
2854 key:
2855 type: string
2856 description: Key is the key used in the Provider, mandatory
2857 metadataPolicy:
2858 type: string
2859 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
2860 property:
2861 type: string
2862 description: Used to select a specific property of the Provider value (if a map), if supported
2863 version:
2864 type: string
2865 description: Used to select a specific version of the Provider value, if supported
2866 required:
2867 - key
2868 find:
2869 type: object
2870 description: Used to find secrets based on tags or regular expressions
2871 properties:
2872 name:
2873 type: object
2874 description: Finds secrets based on the name.
2875 properties:
2876 regexp:
2877 type: string
2878 description: Finds secrets base
2879 conversionStrategy:
2880 type: string
2881 default: Default
2882 description: Used to define a conversion Strategy
2883 path:
2884 type: string
2885 description: A root path to start the find operations.
2886 tags:
2887 type: object
2888 additionalProperties:
2889 type: string
2890 description: Find secrets based on tags.
2891 refreshInterval:
2892 type: string
2893 default: 1h
2894 description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
2895 secretStoreRef:
2896 type: object
2897 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
2898 properties:
2899 name:
2900 type: string
2901 description: Name of the SecretStore resource
2902 kind:
2903 type: string
2904 description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
2905 required:
2906 - name
2907 target:
2908 type: object
2909 description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
2910 properties:
2911 name:
2912 type: string
2913 description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
2914 template:
2915 type: object
2916 description: Template defines a blueprint for the created Secret resource.
2917 properties:
2918 metadata:
2919 type: object
2920 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
2921 properties:
2922 labels:
2923 type: object
2924 additionalProperties:
2925 type: string
2926 annotations:
2927 type: object
2928 additionalProperties:
2929 type: string
2930 type:
2931 type: string
2932 data:
2933 type: object
2934 additionalProperties:
2935 type: string
2936 engineVersion:
2937 type: string
2938 default: v2
2939 templateFrom:
2940 type: array
2941 items:
2942 type: object
2943 maxProperties: 1
2944 minProperties: 1
2945 properties:
2946 configMap:
2947 type: object
2948 properties:
2949 name:
2950 type: string
2951 items:
2952 type: array
2953 items:
2954 type: object
2955 properties:
2956 key:
2957 type: string
2958 required:
2959 - key
2960 required:
2961 - items
2962 - name
2963 secret:
2964 type: object
2965 properties:
2966 name:
2967 type: string
2968 items:
2969 type: array
2970 items:
2971 type: object
2972 properties:
2973 key:
2974 type: string
2975 required:
2976 - key
2977 required:
2978 - items
2979 - name
2980 creationPolicy:
2981 type: string
2982 default: Owner
2983 description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
2984 enum:
2985 - Owner
2986 - Orphan
2987 - Merge
2988 - None
2989 deletionPolicy:
2990 type: string
2991 default: Retain
2992 description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
2993 enum:
2994 - Delete
2995 - Merge
2996 - Retain
2997 immutable:
2998 type: boolean
2999 description: Immutable defines if the final secret will be immutable
3000 required:
3001 - secretStoreRef
3002 status:
3003 type: object
3004 properties:
3005 conditions:
3006 type: array
3007 items:
3008 type: object
3009 properties:
3010 type:
3011 type: string
3012 status:
3013 type: string
3014 lastTransitionTime:
3015 type: string
3016 format: date-time
3017 message:
3018 type: string
3019 reason:
3020 type: string
3021 required:
3022 - status
3023 - type
3024 refreshTime:
3025 type: string
3026 description: refreshTime is the time and date the external secret was fetched and the target secret updated
3027 format: date-time
3028 nullable: true
3029 syncedResourceVersion:
3030 type: string
3031 description: SyncedResourceVersion keeps track of the last synced version
3032 served: true
3033 storage: true
3034 subresources:
3035 status: {}
3036---
3037# Source: external-secrets/templates/crds/secretstore.yaml
3038apiVersion: apiextensions.k8s.io/v1
3039kind: CustomResourceDefinition
3040metadata:
3041 name: secretstores.external-secrets.io
3042 annotations:
3043 controller-gen.kubebuilder.io/version: v0.9.0
3044 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
3045 pallet.edge.ncr.com/name: external-secrets-operator
3046 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
3047 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
3048 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
3049 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
3050 labels: {}
3051spec:
3052 conversion:
3053 strategy: Webhook
3054 webhook:
3055 clientConfig:
3056 service:
3057 name: kexternal-secrets-webhook
3058 namespace: "external-secrets"
3059 path: /convert
3060 conversionReviewVersions:
3061 - v1
3062 group: external-secrets.io
3063 names:
3064 kind: SecretStore
3065 categories:
3066 - externalsecrets
3067 listKind: SecretStoreList
3068 plural: secretstores
3069 shortNames:
3070 - ss
3071 singular: secretstore
3072 scope: Namespaced
3073 versions:
3074 - name: v1alpha1
3075 additionalPrinterColumns:
3076 - name: AGE
3077 type: date
3078 jsonPath: .metadata.creationTimestamp
3079 - name: Status
3080 type: string
3081 jsonPath: .status.conditions[?(@.type=="Ready")].reason
3082 deprecated: true
3083 schema:
3084 openAPIV3Schema:
3085 type: object
3086 description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
3087 properties:
3088 apiVersion:
3089 type: string
3090 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3091 kind:
3092 type: string
3093 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3094 metadata:
3095 type: object
3096 spec:
3097 type: object
3098 description: SecretStoreSpec defines the desired state of SecretStore.
3099 properties:
3100 controller:
3101 type: string
3102 description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
3103 provider:
3104 type: object
3105 description: Used to configure the provider. Only one provider may be set
3106 maxProperties: 1
3107 minProperties: 1
3108 properties:
3109 akeyless:
3110 type: object
3111 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
3112 properties:
3113 akeylessGWApiURL:
3114 type: string
3115 description: Akeyless GW API Url from which the secrets to be fetched from.
3116 authSecretRef:
3117 type: object
3118 description: Auth configures how the operator authenticates with Akeyless.
3119 properties:
3120 secretRef:
3121 type: object
3122 description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
3123 properties:
3124 accessID:
3125 type: object
3126 description: The SecretAccessID is used for authentication
3127 properties:
3128 name:
3129 type: string
3130 description: The name of the Secret resource being referred to.
3131 namespace:
3132 type: string
3133 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3134 key:
3135 type: string
3136 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3137 accessType:
3138 type: object
3139 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
3140 properties:
3141 name:
3142 type: string
3143 description: The name of the Secret resource being referred to.
3144 namespace:
3145 type: string
3146 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3147 key:
3148 type: string
3149 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3150 accessTypeParam:
3151 type: object
3152 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
3153 properties:
3154 name:
3155 type: string
3156 description: The name of the Secret resource being referred to.
3157 namespace:
3158 type: string
3159 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3160 key:
3161 type: string
3162 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3163 required:
3164 - secretRef
3165 required:
3166 - akeylessGWApiURL
3167 - authSecretRef
3168 alibaba:
3169 type: object
3170 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
3171 properties:
3172 auth:
3173 type: object
3174 description: AlibabaAuth contains a secretRef for credentials.
3175 properties:
3176 secretRef:
3177 type: object
3178 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
3179 properties:
3180 accessKeyIDSecretRef:
3181 type: object
3182 description: The AccessKeyID is used for authentication
3183 properties:
3184 name:
3185 type: string
3186 description: The name of the Secret resource being referred to.
3187 namespace:
3188 type: string
3189 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3190 key:
3191 type: string
3192 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3193 accessKeySecretSecretRef:
3194 type: object
3195 description: The AccessKeySecret is used for authentication
3196 properties:
3197 name:
3198 type: string
3199 description: The name of the Secret resource being referred to.
3200 namespace:
3201 type: string
3202 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3203 key:
3204 type: string
3205 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3206 required:
3207 - accessKeyIDSecretRef
3208 - accessKeySecretSecretRef
3209 required:
3210 - secretRef
3211 endpoint:
3212 type: string
3213 regionID:
3214 type: string
3215 description: Alibaba Region to be used for the provider
3216 required:
3217 - auth
3218 - regionID
3219 aws:
3220 type: object
3221 description: AWS configures this store to sync secrets using AWS Secret Manager provider
3222 properties:
3223 service:
3224 type: string
3225 description: Service defines which service should be used to fetch the secrets
3226 enum:
3227 - SecretsManager
3228 - ParameterStore
3229 auth:
3230 type: object
3231 description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3232 properties:
3233 secretRef:
3234 type: object
3235 description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
3236 properties:
3237 accessKeyIDSecretRef:
3238 type: object
3239 description: The AccessKeyID is used for authentication
3240 properties:
3241 name:
3242 type: string
3243 description: The name of the Secret resource being referred to.
3244 namespace:
3245 type: string
3246 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3247 key:
3248 type: string
3249 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3250 secretAccessKeySecretRef:
3251 type: object
3252 description: The SecretAccessKey is used for authentication
3253 properties:
3254 name:
3255 type: string
3256 description: The name of the Secret resource being referred to.
3257 namespace:
3258 type: string
3259 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3260 key:
3261 type: string
3262 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3263 jwt:
3264 type: object
3265 description: Authenticate against AWS using service account tokens.
3266 properties:
3267 serviceAccountRef:
3268 type: object
3269 description: A reference to a ServiceAccount resource.
3270 properties:
3271 name:
3272 type: string
3273 description: The name of the ServiceAccount resource being referred to.
3274 namespace:
3275 type: string
3276 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3277 required:
3278 - name
3279 region:
3280 type: string
3281 description: AWS Region to be used for the provider
3282 role:
3283 type: string
3284 description: Role is a Role ARN which the SecretManager provider will assume
3285 required:
3286 - region
3287 - service
3288 azurekv:
3289 type: object
3290 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
3291 properties:
3292 authSecretRef:
3293 type: object
3294 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
3295 properties:
3296 clientId:
3297 type: object
3298 description: The Azure clientId of the service principle used for authentication.
3299 properties:
3300 name:
3301 type: string
3302 description: The name of the Secret resource being referred to.
3303 namespace:
3304 type: string
3305 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3306 key:
3307 type: string
3308 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3309 clientSecret:
3310 type: object
3311 description: The Azure ClientSecret of the service principle used for authentication.
3312 properties:
3313 name:
3314 type: string
3315 description: The name of the Secret resource being referred to.
3316 namespace:
3317 type: string
3318 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3319 key:
3320 type: string
3321 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3322 authType:
3323 type: string
3324 default: ServicePrincipal
3325 description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
3326 enum:
3327 - ServicePrincipal
3328 - ManagedIdentity
3329 - WorkloadIdentity
3330 identityId:
3331 type: string
3332 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
3333 serviceAccountRef:
3334 type: object
3335 description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
3336 properties:
3337 name:
3338 type: string
3339 description: The name of the ServiceAccount resource being referred to.
3340 namespace:
3341 type: string
3342 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3343 required:
3344 - name
3345 tenantId:
3346 type: string
3347 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
3348 vaultUrl:
3349 type: string
3350 description: Vault Url from which the secrets to be fetched from.
3351 required:
3352 - vaultUrl
3353 fake:
3354 type: object
3355 description: Fake configures a store with static key/value pairs
3356 properties:
3357 data:
3358 type: array
3359 items:
3360 type: object
3361 properties:
3362 value:
3363 type: string
3364 key:
3365 type: string
3366 valueMap:
3367 type: object
3368 additionalProperties:
3369 type: string
3370 version:
3371 type: string
3372 required:
3373 - key
3374 required:
3375 - data
3376 gcpsm:
3377 type: object
3378 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
3379 properties:
3380 auth:
3381 type: object
3382 description: Auth defines the information necessary to authenticate against GCP
3383 properties:
3384 secretRef:
3385 type: object
3386 properties:
3387 secretAccessKeySecretRef:
3388 type: object
3389 description: The SecretAccessKey is used for authentication
3390 properties:
3391 name:
3392 type: string
3393 description: The name of the Secret resource being referred to.
3394 namespace:
3395 type: string
3396 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3397 key:
3398 type: string
3399 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3400 workloadIdentity:
3401 type: object
3402 properties:
3403 clusterName:
3404 type: string
3405 clusterLocation:
3406 type: string
3407 clusterProjectID:
3408 type: string
3409 serviceAccountRef:
3410 type: object
3411 description: A reference to a ServiceAccount resource.
3412 properties:
3413 name:
3414 type: string
3415 description: The name of the ServiceAccount resource being referred to.
3416 namespace:
3417 type: string
3418 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3419 required:
3420 - name
3421 required:
3422 - clusterLocation
3423 - clusterName
3424 - serviceAccountRef
3425 projectID:
3426 type: string
3427 description: ProjectID project where secret is located
3428 gitlab:
3429 type: object
3430 description: Gitlab configures this store to sync secrets using Gitlab Variables provider
3431 properties:
3432 auth:
3433 type: object
3434 description: Auth configures how secret-manager authenticates with a GitLab instance.
3435 properties:
3436 SecretRef:
3437 type: object
3438 properties:
3439 accessToken:
3440 type: object
3441 description: AccessToken is used for authentication.
3442 properties:
3443 name:
3444 type: string
3445 description: The name of the Secret resource being referred to.
3446 namespace:
3447 type: string
3448 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3449 key:
3450 type: string
3451 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3452 required:
3453 - SecretRef
3454 projectID:
3455 type: string
3456 description: ProjectID specifies a project where secrets are located.
3457 url:
3458 type: string
3459 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
3460 required:
3461 - auth
3462 ibm:
3463 type: object
3464 description: IBM configures this store to sync secrets using IBM Cloud provider
3465 properties:
3466 auth:
3467 type: object
3468 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
3469 properties:
3470 secretRef:
3471 type: object
3472 properties:
3473 secretApiKeySecretRef:
3474 type: object
3475 description: The SecretAccessKey is used for authentication
3476 properties:
3477 name:
3478 type: string
3479 description: The name of the Secret resource being referred to.
3480 namespace:
3481 type: string
3482 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3483 key:
3484 type: string
3485 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3486 required:
3487 - secretRef
3488 serviceUrl:
3489 type: string
3490 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
3491 required:
3492 - auth
3493 kubernetes:
3494 type: object
3495 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
3496 properties:
3497 auth:
3498 type: object
3499 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
3500 maxProperties: 1
3501 minProperties: 1
3502 properties:
3503 serviceAccount:
3504 type: object
3505 description: points to a service account that should be used for authentication
3506 properties:
3507 serviceAccount:
3508 type: object
3509 description: A reference to a ServiceAccount resource.
3510 properties:
3511 name:
3512 type: string
3513 description: The name of the ServiceAccount resource being referred to.
3514 namespace:
3515 type: string
3516 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3517 required:
3518 - name
3519 cert:
3520 type: object
3521 description: has both clientCert and clientKey as secretKeySelector
3522 properties:
3523 clientCert:
3524 type: object
3525 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
3526 properties:
3527 name:
3528 type: string
3529 description: The name of the Secret resource being referred to.
3530 namespace:
3531 type: string
3532 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3533 key:
3534 type: string
3535 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3536 clientKey:
3537 type: object
3538 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
3539 properties:
3540 name:
3541 type: string
3542 description: The name of the Secret resource being referred to.
3543 namespace:
3544 type: string
3545 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3546 key:
3547 type: string
3548 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3549 token:
3550 type: object
3551 description: use static token to authenticate with
3552 properties:
3553 bearerToken:
3554 type: object
3555 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
3556 properties:
3557 name:
3558 type: string
3559 description: The name of the Secret resource being referred to.
3560 namespace:
3561 type: string
3562 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3563 key:
3564 type: string
3565 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3566 remoteNamespace:
3567 type: string
3568 default: default
3569 description: Remote namespace to fetch the secrets from
3570 server:
3571 type: object
3572 description: configures the Kubernetes server Address.
3573 properties:
3574 caBundle:
3575 type: string
3576 description: CABundle is a base64-encoded CA certificate
3577 format: byte
3578 caProvider:
3579 type: object
3580 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
3581 properties:
3582 name:
3583 type: string
3584 description: The name of the object located at the provider type.
3585 namespace:
3586 type: string
3587 description: The namespace the Provider type is in.
3588 type:
3589 type: string
3590 description: The type of provider to use such as "Secret", or "ConfigMap".
3591 enum:
3592 - Secret
3593 - ConfigMap
3594 key:
3595 type: string
3596 description: The key the value inside of the provider type to use, only used with "Secret" type
3597 required:
3598 - name
3599 - type
3600 url:
3601 type: string
3602 default: kubernetes.default
3603 description: configures the Kubernetes server Address.
3604 required:
3605 - auth
3606 oracle:
3607 type: object
3608 description: Oracle configures this store to sync secrets using Oracle Vault provider
3609 properties:
3610 auth:
3611 type: object
3612 description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
3613 properties:
3614 secretRef:
3615 type: object
3616 description: SecretRef to pass through sensitive information.
3617 properties:
3618 fingerprint:
3619 type: object
3620 description: Fingerprint is the fingerprint of the API private key.
3621 properties:
3622 name:
3623 type: string
3624 description: The name of the Secret resource being referred to.
3625 namespace:
3626 type: string
3627 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3628 key:
3629 type: string
3630 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3631 privatekey:
3632 type: object
3633 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
3634 properties:
3635 name:
3636 type: string
3637 description: The name of the Secret resource being referred to.
3638 namespace:
3639 type: string
3640 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3641 key:
3642 type: string
3643 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3644 required:
3645 - fingerprint
3646 - privatekey
3647 tenancy:
3648 type: string
3649 description: Tenancy is the tenancy OCID where user is located.
3650 user:
3651 type: string
3652 description: User is an access OCID specific to the account.
3653 required:
3654 - secretRef
3655 - tenancy
3656 - user
3657 region:
3658 type: string
3659 description: Region is the region where vault is located.
3660 vault:
3661 type: string
3662 description: Vault is the vault's OCID of the specific vault where secret is located.
3663 required:
3664 - region
3665 - vault
3666 vault:
3667 type: object
3668 description: Vault configures this store to sync secrets using Hashi provider
3669 properties:
3670 namespace:
3671 type: string
3672 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
3673 auth:
3674 type: object
3675 description: Auth configures how secret-manager authenticates with the Vault server.
3676 properties:
3677 appRole:
3678 type: object
3679 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
3680 properties:
3681 secretRef:
3682 type: object
3683 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
3684 properties:
3685 name:
3686 type: string
3687 description: The name of the Secret resource being referred to.
3688 namespace:
3689 type: string
3690 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3691 key:
3692 type: string
3693 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3694 path:
3695 type: string
3696 default: approle
3697 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
3698 roleId:
3699 type: string
3700 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
3701 required:
3702 - path
3703 - roleId
3704 - secretRef
3705 cert:
3706 type: object
3707 description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
3708 properties:
3709 secretRef:
3710 type: object
3711 description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
3712 properties:
3713 name:
3714 type: string
3715 description: The name of the Secret resource being referred to.
3716 namespace:
3717 type: string
3718 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3719 key:
3720 type: string
3721 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3722 clientCert:
3723 type: object
3724 description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
3725 properties:
3726 name:
3727 type: string
3728 description: The name of the Secret resource being referred to.
3729 namespace:
3730 type: string
3731 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3732 key:
3733 type: string
3734 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3735 jwt:
3736 type: object
3737 description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
3738 properties:
3739 secretRef:
3740 type: object
3741 description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
3742 properties:
3743 name:
3744 type: string
3745 description: The name of the Secret resource being referred to.
3746 namespace:
3747 type: string
3748 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3749 key:
3750 type: string
3751 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3752 kubernetesServiceAccountToken:
3753 type: object
3754 description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
3755 properties:
3756 audiences:
3757 type: array
3758 description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
3759 items:
3760 type: string
3761 expirationSeconds:
3762 type: integer
3763 description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
3764 format: int64
3765 serviceAccountRef:
3766 type: object
3767 description: Service account field containing the name of a kubernetes ServiceAccount.
3768 properties:
3769 name:
3770 type: string
3771 description: The name of the ServiceAccount resource being referred to.
3772 namespace:
3773 type: string
3774 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3775 required:
3776 - name
3777 required:
3778 - serviceAccountRef
3779 path:
3780 type: string
3781 default: jwt
3782 description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
3783 role:
3784 type: string
3785 description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
3786 required:
3787 - path
3788 kubernetes:
3789 type: object
3790 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
3791 properties:
3792 mountPath:
3793 type: string
3794 default: kubernetes
3795 description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
3796 secretRef:
3797 type: object
3798 description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
3799 properties:
3800 name:
3801 type: string
3802 description: The name of the Secret resource being referred to.
3803 namespace:
3804 type: string
3805 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3806 key:
3807 type: string
3808 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3809 role:
3810 type: string
3811 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
3812 serviceAccountRef:
3813 type: object
3814 description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
3815 properties:
3816 name:
3817 type: string
3818 description: The name of the ServiceAccount resource being referred to.
3819 namespace:
3820 type: string
3821 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3822 required:
3823 - name
3824 required:
3825 - mountPath
3826 - role
3827 ldap:
3828 type: object
3829 description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
3830 properties:
3831 secretRef:
3832 type: object
3833 description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
3834 properties:
3835 name:
3836 type: string
3837 description: The name of the Secret resource being referred to.
3838 namespace:
3839 type: string
3840 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3841 key:
3842 type: string
3843 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3844 path:
3845 type: string
3846 default: ldap
3847 description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
3848 username:
3849 type: string
3850 description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
3851 required:
3852 - path
3853 - username
3854 tokenSecretRef:
3855 type: object
3856 description: TokenSecretRef authenticates with Vault by presenting a token.
3857 properties:
3858 name:
3859 type: string
3860 description: The name of the Secret resource being referred to.
3861 namespace:
3862 type: string
3863 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3864 key:
3865 type: string
3866 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3867 caBundle:
3868 type: string
3869 description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
3870 format: byte
3871 caProvider:
3872 type: object
3873 description: The provider for the CA bundle to use to validate Vault server certificate.
3874 properties:
3875 name:
3876 type: string
3877 description: The name of the object located at the provider type.
3878 namespace:
3879 type: string
3880 description: The namespace the Provider type is in.
3881 type:
3882 type: string
3883 description: The type of provider to use such as "Secret", or "ConfigMap".
3884 enum:
3885 - Secret
3886 - ConfigMap
3887 key:
3888 type: string
3889 description: The key the value inside of the provider type to use, only used with "Secret" type
3890 required:
3891 - name
3892 - type
3893 forwardInconsistent:
3894 type: boolean
3895 description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
3896 path:
3897 type: string
3898 description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
3899 readYourWrites:
3900 type: boolean
3901 description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
3902 server:
3903 type: string
3904 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
3905 version:
3906 type: string
3907 default: v2
3908 description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
3909 enum:
3910 - v1
3911 - v2
3912 required:
3913 - auth
3914 - server
3915 webhook:
3916 type: object
3917 description: Webhook configures this store to sync secrets using a generic templated webhook
3918 properties:
3919 body:
3920 type: string
3921 description: Body
3922 caBundle:
3923 type: string
3924 description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
3925 format: byte
3926 caProvider:
3927 type: object
3928 description: The provider for the CA bundle to use to validate webhook server certificate.
3929 properties:
3930 name:
3931 type: string
3932 description: The name of the object located at the provider type.
3933 namespace:
3934 type: string
3935 description: The namespace the Provider type is in.
3936 type:
3937 type: string
3938 description: The type of provider to use such as "Secret", or "ConfigMap".
3939 enum:
3940 - Secret
3941 - ConfigMap
3942 key:
3943 type: string
3944 description: The key the value inside of the provider type to use, only used with "Secret" type
3945 required:
3946 - name
3947 - type
3948 headers:
3949 type: object
3950 additionalProperties:
3951 type: string
3952 description: Headers
3953 method:
3954 type: string
3955 description: Webhook Method
3956 result:
3957 type: object
3958 description: Result formatting
3959 properties:
3960 jsonPath:
3961 type: string
3962 description: Json path of return value
3963 secrets:
3964 type: array
3965 description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
3966 items:
3967 type: object
3968 properties:
3969 name:
3970 type: string
3971 description: Name of this secret in templates
3972 secretRef:
3973 type: object
3974 description: Secret ref to fill in credentials
3975 properties:
3976 name:
3977 type: string
3978 description: The name of the Secret resource being referred to.
3979 namespace:
3980 type: string
3981 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
3982 key:
3983 type: string
3984 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3985 required:
3986 - name
3987 - secretRef
3988 timeout:
3989 type: string
3990 description: Timeout
3991 url:
3992 type: string
3993 description: Webhook url to call
3994 required:
3995 - result
3996 - url
3997 yandexlockbox:
3998 type: object
3999 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
4000 properties:
4001 apiEndpoint:
4002 type: string
4003 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
4004 auth:
4005 type: object
4006 description: Auth defines the information necessary to authenticate against Yandex Lockbox
4007 properties:
4008 authorizedKeySecretRef:
4009 type: object
4010 description: The authorized key used for authentication
4011 properties:
4012 name:
4013 type: string
4014 description: The name of the Secret resource being referred to.
4015 namespace:
4016 type: string
4017 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4018 key:
4019 type: string
4020 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4021 caProvider:
4022 type: object
4023 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
4024 properties:
4025 certSecretRef:
4026 type: object
4027 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4028 properties:
4029 name:
4030 type: string
4031 description: The name of the Secret resource being referred to.
4032 namespace:
4033 type: string
4034 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4035 key:
4036 type: string
4037 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4038 required:
4039 - auth
4040 retrySettings:
4041 type: object
4042 description: Used to configure http retries if failed
4043 properties:
4044 maxRetries:
4045 type: integer
4046 format: int32
4047 retryInterval:
4048 type: string
4049 required:
4050 - provider
4051 status:
4052 type: object
4053 description: SecretStoreStatus defines the observed state of the SecretStore.
4054 properties:
4055 conditions:
4056 type: array
4057 items:
4058 type: object
4059 properties:
4060 type:
4061 type: string
4062 status:
4063 type: string
4064 lastTransitionTime:
4065 type: string
4066 format: date-time
4067 message:
4068 type: string
4069 reason:
4070 type: string
4071 required:
4072 - status
4073 - type
4074 served: true
4075 storage: false
4076 subresources:
4077 status: {}
4078 - name: v1beta1
4079 additionalPrinterColumns:
4080 - name: AGE
4081 type: date
4082 jsonPath: .metadata.creationTimestamp
4083 - name: Status
4084 type: string
4085 jsonPath: .status.conditions[?(@.type=="Ready")].reason
4086 schema:
4087 openAPIV3Schema:
4088 type: object
4089 description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
4090 properties:
4091 apiVersion:
4092 type: string
4093 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4094 kind:
4095 type: string
4096 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4097 metadata:
4098 type: object
4099 spec:
4100 type: object
4101 description: SecretStoreSpec defines the desired state of SecretStore.
4102 properties:
4103 controller:
4104 type: string
4105 description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
4106 provider:
4107 type: object
4108 description: Used to configure the provider. Only one provider may be set
4109 maxProperties: 1
4110 minProperties: 1
4111 properties:
4112 akeyless:
4113 type: object
4114 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
4115 properties:
4116 akeylessGWApiURL:
4117 type: string
4118 description: Akeyless GW API Url from which the secrets to be fetched from.
4119 authSecretRef:
4120 type: object
4121 description: Auth configures how the operator authenticates with Akeyless.
4122 properties:
4123 secretRef:
4124 type: object
4125 description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
4126 properties:
4127 accessID:
4128 type: object
4129 description: The SecretAccessID is used for authentication
4130 properties:
4131 name:
4132 type: string
4133 description: The name of the Secret resource being referred to.
4134 namespace:
4135 type: string
4136 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4137 key:
4138 type: string
4139 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4140 accessType:
4141 type: object
4142 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4143 properties:
4144 name:
4145 type: string
4146 description: The name of the Secret resource being referred to.
4147 namespace:
4148 type: string
4149 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4150 key:
4151 type: string
4152 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4153 accessTypeParam:
4154 type: object
4155 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4156 properties:
4157 name:
4158 type: string
4159 description: The name of the Secret resource being referred to.
4160 namespace:
4161 type: string
4162 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4163 key:
4164 type: string
4165 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4166 required:
4167 - secretRef
4168 required:
4169 - akeylessGWApiURL
4170 - authSecretRef
4171 alibaba:
4172 type: object
4173 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
4174 properties:
4175 auth:
4176 type: object
4177 description: AlibabaAuth contains a secretRef for credentials.
4178 properties:
4179 secretRef:
4180 type: object
4181 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
4182 properties:
4183 accessKeyIDSecretRef:
4184 type: object
4185 description: The AccessKeyID is used for authentication
4186 properties:
4187 name:
4188 type: string
4189 description: The name of the Secret resource being referred to.
4190 namespace:
4191 type: string
4192 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4193 key:
4194 type: string
4195 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4196 accessKeySecretSecretRef:
4197 type: object
4198 description: The AccessKeySecret is used for authentication
4199 properties:
4200 name:
4201 type: string
4202 description: The name of the Secret resource being referred to.
4203 namespace:
4204 type: string
4205 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4206 key:
4207 type: string
4208 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4209 required:
4210 - accessKeyIDSecretRef
4211 - accessKeySecretSecretRef
4212 required:
4213 - secretRef
4214 endpoint:
4215 type: string
4216 regionID:
4217 type: string
4218 description: Alibaba Region to be used for the provider
4219 required:
4220 - auth
4221 - regionID
4222 aws:
4223 type: object
4224 description: AWS configures this store to sync secrets using AWS Secret Manager provider
4225 properties:
4226 service:
4227 type: string
4228 description: Service defines which service should be used to fetch the secrets
4229 enum:
4230 - SecretsManager
4231 - ParameterStore
4232 auth:
4233 type: object
4234 description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4235 properties:
4236 secretRef:
4237 type: object
4238 description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
4239 properties:
4240 accessKeyIDSecretRef:
4241 type: object
4242 description: The AccessKeyID is used for authentication
4243 properties:
4244 name:
4245 type: string
4246 description: The name of the Secret resource being referred to.
4247 namespace:
4248 type: string
4249 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4250 key:
4251 type: string
4252 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4253 secretAccessKeySecretRef:
4254 type: object
4255 description: The SecretAccessKey is used for authentication
4256 properties:
4257 name:
4258 type: string
4259 description: The name of the Secret resource being referred to.
4260 namespace:
4261 type: string
4262 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4263 key:
4264 type: string
4265 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4266 jwt:
4267 type: object
4268 description: Authenticate against AWS using service account tokens.
4269 properties:
4270 serviceAccountRef:
4271 type: object
4272 description: A reference to a ServiceAccount resource.
4273 properties:
4274 name:
4275 type: string
4276 description: The name of the ServiceAccount resource being referred to.
4277 namespace:
4278 type: string
4279 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4280 required:
4281 - name
4282 region:
4283 type: string
4284 description: AWS Region to be used for the provider
4285 role:
4286 type: string
4287 description: Role is a Role ARN which the SecretManager provider will assume
4288 required:
4289 - region
4290 - service
4291 azurekv:
4292 type: object
4293 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
4294 properties:
4295 authSecretRef:
4296 type: object
4297 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
4298 properties:
4299 clientId:
4300 type: object
4301 description: The Azure clientId of the service principle used for authentication.
4302 properties:
4303 name:
4304 type: string
4305 description: The name of the Secret resource being referred to.
4306 namespace:
4307 type: string
4308 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4309 key:
4310 type: string
4311 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4312 clientSecret:
4313 type: object
4314 description: The Azure ClientSecret of the service principle used for authentication.
4315 properties:
4316 name:
4317 type: string
4318 description: The name of the Secret resource being referred to.
4319 namespace:
4320 type: string
4321 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4322 key:
4323 type: string
4324 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4325 authType:
4326 type: string
4327 default: ServicePrincipal
4328 description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
4329 enum:
4330 - ServicePrincipal
4331 - ManagedIdentity
4332 - WorkloadIdentity
4333 identityId:
4334 type: string
4335 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
4336 serviceAccountRef:
4337 type: object
4338 description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
4339 properties:
4340 name:
4341 type: string
4342 description: The name of the ServiceAccount resource being referred to.
4343 namespace:
4344 type: string
4345 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4346 required:
4347 - name
4348 tenantId:
4349 type: string
4350 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
4351 vaultUrl:
4352 type: string
4353 description: Vault Url from which the secrets to be fetched from.
4354 required:
4355 - vaultUrl
4356 fake:
4357 type: object
4358 description: Fake configures a store with static key/value pairs
4359 properties:
4360 data:
4361 type: array
4362 items:
4363 type: object
4364 properties:
4365 value:
4366 type: string
4367 key:
4368 type: string
4369 valueMap:
4370 type: object
4371 additionalProperties:
4372 type: string
4373 version:
4374 type: string
4375 required:
4376 - key
4377 required:
4378 - data
4379 gcpsm:
4380 type: object
4381 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
4382 properties:
4383 auth:
4384 type: object
4385 description: Auth defines the information necessary to authenticate against GCP
4386 properties:
4387 secretRef:
4388 type: object
4389 properties:
4390 secretAccessKeySecretRef:
4391 type: object
4392 description: The SecretAccessKey is used for authentication
4393 properties:
4394 name:
4395 type: string
4396 description: The name of the Secret resource being referred to.
4397 namespace:
4398 type: string
4399 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4400 key:
4401 type: string
4402 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4403 workloadIdentity:
4404 type: object
4405 properties:
4406 clusterName:
4407 type: string
4408 clusterLocation:
4409 type: string
4410 clusterProjectID:
4411 type: string
4412 serviceAccountRef:
4413 type: object
4414 description: A reference to a ServiceAccount resource.
4415 properties:
4416 name:
4417 type: string
4418 description: The name of the ServiceAccount resource being referred to.
4419 namespace:
4420 type: string
4421 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4422 required:
4423 - name
4424 required:
4425 - clusterLocation
4426 - clusterName
4427 - serviceAccountRef
4428 projectID:
4429 type: string
4430 description: ProjectID project where secret is located
4431 gitlab:
4432 type: object
4433 description: Gitlab configures this store to sync secrets using Gitlab Variables provider
4434 properties:
4435 auth:
4436 type: object
4437 description: Auth configures how secret-manager authenticates with a GitLab instance.
4438 properties:
4439 SecretRef:
4440 type: object
4441 properties:
4442 accessToken:
4443 type: object
4444 description: AccessToken is used for authentication.
4445 properties:
4446 name:
4447 type: string
4448 description: The name of the Secret resource being referred to.
4449 namespace:
4450 type: string
4451 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4452 key:
4453 type: string
4454 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4455 required:
4456 - SecretRef
4457 projectID:
4458 type: string
4459 description: ProjectID specifies a project where secrets are located.
4460 url:
4461 type: string
4462 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
4463 required:
4464 - auth
4465 ibm:
4466 type: object
4467 description: IBM configures this store to sync secrets using IBM Cloud provider
4468 properties:
4469 auth:
4470 type: object
4471 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
4472 properties:
4473 secretRef:
4474 type: object
4475 properties:
4476 secretApiKeySecretRef:
4477 type: object
4478 description: The SecretAccessKey is used for authentication
4479 properties:
4480 name:
4481 type: string
4482 description: The name of the Secret resource being referred to.
4483 namespace:
4484 type: string
4485 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4486 key:
4487 type: string
4488 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4489 required:
4490 - secretRef
4491 serviceUrl:
4492 type: string
4493 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
4494 required:
4495 - auth
4496 kubernetes:
4497 type: object
4498 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
4499 properties:
4500 auth:
4501 type: object
4502 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
4503 maxProperties: 1
4504 minProperties: 1
4505 properties:
4506 serviceAccount:
4507 type: object
4508 description: points to a service account that should be used for authentication
4509 properties:
4510 serviceAccount:
4511 type: object
4512 description: A reference to a ServiceAccount resource.
4513 properties:
4514 name:
4515 type: string
4516 description: The name of the ServiceAccount resource being referred to.
4517 namespace:
4518 type: string
4519 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4520 required:
4521 - name
4522 cert:
4523 type: object
4524 description: has both clientCert and clientKey as secretKeySelector
4525 properties:
4526 clientCert:
4527 type: object
4528 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4529 properties:
4530 name:
4531 type: string
4532 description: The name of the Secret resource being referred to.
4533 namespace:
4534 type: string
4535 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4536 key:
4537 type: string
4538 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4539 clientKey:
4540 type: object
4541 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4542 properties:
4543 name:
4544 type: string
4545 description: The name of the Secret resource being referred to.
4546 namespace:
4547 type: string
4548 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4549 key:
4550 type: string
4551 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4552 token:
4553 type: object
4554 description: use static token to authenticate with
4555 properties:
4556 bearerToken:
4557 type: object
4558 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4559 properties:
4560 name:
4561 type: string
4562 description: The name of the Secret resource being referred to.
4563 namespace:
4564 type: string
4565 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4566 key:
4567 type: string
4568 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4569 remoteNamespace:
4570 type: string
4571 default: default
4572 description: Remote namespace to fetch the secrets from
4573 server:
4574 type: object
4575 description: configures the Kubernetes server Address.
4576 properties:
4577 caBundle:
4578 type: string
4579 description: CABundle is a base64-encoded CA certificate
4580 format: byte
4581 caProvider:
4582 type: object
4583 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
4584 properties:
4585 name:
4586 type: string
4587 description: The name of the object located at the provider type.
4588 namespace:
4589 type: string
4590 description: The namespace the Provider type is in.
4591 type:
4592 type: string
4593 description: The type of provider to use such as "Secret", or "ConfigMap".
4594 enum:
4595 - Secret
4596 - ConfigMap
4597 key:
4598 type: string
4599 description: The key the value inside of the provider type to use, only used with "Secret" type
4600 required:
4601 - name
4602 - type
4603 url:
4604 type: string
4605 default: kubernetes.default
4606 description: configures the Kubernetes server Address.
4607 required:
4608 - auth
4609 onepassword:
4610 type: object
4611 description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
4612 properties:
4613 auth:
4614 type: object
4615 description: Auth defines the information necessary to authenticate against OnePassword Connect Server
4616 properties:
4617 secretRef:
4618 type: object
4619 description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
4620 properties:
4621 connectTokenSecretRef:
4622 type: object
4623 description: The ConnectToken is used for authentication to a 1Password Connect Server.
4624 properties:
4625 name:
4626 type: string
4627 description: The name of the Secret resource being referred to.
4628 namespace:
4629 type: string
4630 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4631 key:
4632 type: string
4633 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4634 required:
4635 - connectTokenSecretRef
4636 required:
4637 - secretRef
4638 connectHost:
4639 type: string
4640 description: ConnectHost defines the OnePassword Connect Server to connect to
4641 vaults:
4642 type: object
4643 additionalProperties:
4644 type: integer
4645 description: Vaults defines which OnePassword vaults to search in which order
4646 required:
4647 - auth
4648 - connectHost
4649 - vaults
4650 oracle:
4651 type: object
4652 description: Oracle configures this store to sync secrets using Oracle Vault provider
4653 properties:
4654 auth:
4655 type: object
4656 description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
4657 properties:
4658 secretRef:
4659 type: object
4660 description: SecretRef to pass through sensitive information.
4661 properties:
4662 fingerprint:
4663 type: object
4664 description: Fingerprint is the fingerprint of the API private key.
4665 properties:
4666 name:
4667 type: string
4668 description: The name of the Secret resource being referred to.
4669 namespace:
4670 type: string
4671 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4672 key:
4673 type: string
4674 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4675 privatekey:
4676 type: object
4677 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
4678 properties:
4679 name:
4680 type: string
4681 description: The name of the Secret resource being referred to.
4682 namespace:
4683 type: string
4684 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4685 key:
4686 type: string
4687 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4688 required:
4689 - fingerprint
4690 - privatekey
4691 tenancy:
4692 type: string
4693 description: Tenancy is the tenancy OCID where user is located.
4694 user:
4695 type: string
4696 description: User is an access OCID specific to the account.
4697 required:
4698 - secretRef
4699 - tenancy
4700 - user
4701 region:
4702 type: string
4703 description: Region is the region where vault is located.
4704 vault:
4705 type: string
4706 description: Vault is the vault's OCID of the specific vault where secret is located.
4707 required:
4708 - region
4709 - vault
4710 senhasegura:
4711 type: object
4712 description: Senhasegura configures this store to sync secrets using senhasegura provider
4713 properties:
4714 auth:
4715 type: object
4716 description: Auth defines parameters to authenticate in senhasegura
4717 properties:
4718 clientId:
4719 type: string
4720 clientSecretSecretRef:
4721 type: object
4722 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
4723 properties:
4724 name:
4725 type: string
4726 description: The name of the Secret resource being referred to.
4727 namespace:
4728 type: string
4729 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4730 key:
4731 type: string
4732 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4733 required:
4734 - clientId
4735 - clientSecretSecretRef
4736 ignoreSslCertificate:
4737 type: boolean
4738 default: false
4739 description: IgnoreSslCertificate defines if SSL certificate must be ignored
4740 module:
4741 type: string
4742 description: Module defines which senhasegura module should be used to get secrets
4743 url:
4744 type: string
4745 description: URL of senhasegura
4746 required:
4747 - auth
4748 - module
4749 - url
4750 vault:
4751 type: object
4752 description: Vault configures this store to sync secrets using Hashi provider
4753 properties:
4754 namespace:
4755 type: string
4756 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
4757 auth:
4758 type: object
4759 description: Auth configures how secret-manager authenticates with the Vault server.
4760 properties:
4761 appRole:
4762 type: object
4763 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
4764 properties:
4765 secretRef:
4766 type: object
4767 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
4768 properties:
4769 name:
4770 type: string
4771 description: The name of the Secret resource being referred to.
4772 namespace:
4773 type: string
4774 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4775 key:
4776 type: string
4777 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4778 path:
4779 type: string
4780 default: approle
4781 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
4782 roleId:
4783 type: string
4784 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
4785 required:
4786 - path
4787 - roleId
4788 - secretRef
4789 cert:
4790 type: object
4791 description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
4792 properties:
4793 secretRef:
4794 type: object
4795 description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
4796 properties:
4797 name:
4798 type: string
4799 description: The name of the Secret resource being referred to.
4800 namespace:
4801 type: string
4802 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4803 key:
4804 type: string
4805 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4806 clientCert:
4807 type: object
4808 description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
4809 properties:
4810 name:
4811 type: string
4812 description: The name of the Secret resource being referred to.
4813 namespace:
4814 type: string
4815 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4816 key:
4817 type: string
4818 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4819 jwt:
4820 type: object
4821 description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
4822 properties:
4823 secretRef:
4824 type: object
4825 description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
4826 properties:
4827 name:
4828 type: string
4829 description: The name of the Secret resource being referred to.
4830 namespace:
4831 type: string
4832 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4833 key:
4834 type: string
4835 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4836 kubernetesServiceAccountToken:
4837 type: object
4838 description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
4839 properties:
4840 audiences:
4841 type: array
4842 description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
4843 items:
4844 type: string
4845 expirationSeconds:
4846 type: integer
4847 description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
4848 format: int64
4849 serviceAccountRef:
4850 type: object
4851 description: Service account field containing the name of a kubernetes ServiceAccount.
4852 properties:
4853 name:
4854 type: string
4855 description: The name of the ServiceAccount resource being referred to.
4856 namespace:
4857 type: string
4858 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4859 required:
4860 - name
4861 required:
4862 - serviceAccountRef
4863 path:
4864 type: string
4865 default: jwt
4866 description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
4867 role:
4868 type: string
4869 description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
4870 required:
4871 - path
4872 kubernetes:
4873 type: object
4874 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
4875 properties:
4876 mountPath:
4877 type: string
4878 default: kubernetes
4879 description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
4880 secretRef:
4881 type: object
4882 description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
4883 properties:
4884 name:
4885 type: string
4886 description: The name of the Secret resource being referred to.
4887 namespace:
4888 type: string
4889 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4890 key:
4891 type: string
4892 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4893 role:
4894 type: string
4895 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
4896 serviceAccountRef:
4897 type: object
4898 description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
4899 properties:
4900 name:
4901 type: string
4902 description: The name of the ServiceAccount resource being referred to.
4903 namespace:
4904 type: string
4905 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4906 required:
4907 - name
4908 required:
4909 - mountPath
4910 - role
4911 ldap:
4912 type: object
4913 description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
4914 properties:
4915 secretRef:
4916 type: object
4917 description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
4918 properties:
4919 name:
4920 type: string
4921 description: The name of the Secret resource being referred to.
4922 namespace:
4923 type: string
4924 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4925 key:
4926 type: string
4927 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4928 path:
4929 type: string
4930 default: ldap
4931 description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
4932 username:
4933 type: string
4934 description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
4935 required:
4936 - path
4937 - username
4938 tokenSecretRef:
4939 type: object
4940 description: TokenSecretRef authenticates with Vault by presenting a token.
4941 properties:
4942 name:
4943 type: string
4944 description: The name of the Secret resource being referred to.
4945 namespace:
4946 type: string
4947 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
4948 key:
4949 type: string
4950 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4951 caBundle:
4952 type: string
4953 description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
4954 format: byte
4955 caProvider:
4956 type: object
4957 description: The provider for the CA bundle to use to validate Vault server certificate.
4958 properties:
4959 name:
4960 type: string
4961 description: The name of the object located at the provider type.
4962 namespace:
4963 type: string
4964 description: The namespace the Provider type is in.
4965 type:
4966 type: string
4967 description: The type of provider to use such as "Secret", or "ConfigMap".
4968 enum:
4969 - Secret
4970 - ConfigMap
4971 key:
4972 type: string
4973 description: The key the value inside of the provider type to use, only used with "Secret" type
4974 required:
4975 - name
4976 - type
4977 forwardInconsistent:
4978 type: boolean
4979 description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
4980 path:
4981 type: string
4982 description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
4983 readYourWrites:
4984 type: boolean
4985 description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
4986 server:
4987 type: string
4988 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
4989 version:
4990 type: string
4991 default: v2
4992 description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
4993 enum:
4994 - v1
4995 - v2
4996 required:
4997 - auth
4998 - server
4999 webhook:
5000 type: object
5001 description: Webhook configures this store to sync secrets using a generic templated webhook
5002 properties:
5003 body:
5004 type: string
5005 description: Body
5006 caBundle:
5007 type: string
5008 description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
5009 format: byte
5010 caProvider:
5011 type: object
5012 description: The provider for the CA bundle to use to validate webhook server certificate.
5013 properties:
5014 name:
5015 type: string
5016 description: The name of the object located at the provider type.
5017 namespace:
5018 type: string
5019 description: The namespace the Provider type is in.
5020 type:
5021 type: string
5022 description: The type of provider to use such as "Secret", or "ConfigMap".
5023 enum:
5024 - Secret
5025 - ConfigMap
5026 key:
5027 type: string
5028 description: The key the value inside of the provider type to use, only used with "Secret" type
5029 required:
5030 - name
5031 - type
5032 headers:
5033 type: object
5034 additionalProperties:
5035 type: string
5036 description: Headers
5037 method:
5038 type: string
5039 description: Webhook Method
5040 result:
5041 type: object
5042 description: Result formatting
5043 properties:
5044 jsonPath:
5045 type: string
5046 description: Json path of return value
5047 secrets:
5048 type: array
5049 description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
5050 items:
5051 type: object
5052 properties:
5053 name:
5054 type: string
5055 description: Name of this secret in templates
5056 secretRef:
5057 type: object
5058 description: Secret ref to fill in credentials
5059 properties:
5060 name:
5061 type: string
5062 description: The name of the Secret resource being referred to.
5063 namespace:
5064 type: string
5065 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
5066 key:
5067 type: string
5068 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5069 required:
5070 - name
5071 - secretRef
5072 timeout:
5073 type: string
5074 description: Timeout
5075 url:
5076 type: string
5077 description: Webhook url to call
5078 required:
5079 - result
5080 - url
5081 yandexcertificatemanager:
5082 type: object
5083 description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
5084 properties:
5085 apiEndpoint:
5086 type: string
5087 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
5088 auth:
5089 type: object
5090 description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
5091 properties:
5092 authorizedKeySecretRef:
5093 type: object
5094 description: The authorized key used for authentication
5095 properties:
5096 name:
5097 type: string
5098 description: The name of the Secret resource being referred to.
5099 namespace:
5100 type: string
5101 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
5102 key:
5103 type: string
5104 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5105 caProvider:
5106 type: object
5107 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
5108 properties:
5109 certSecretRef:
5110 type: object
5111 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
5112 properties:
5113 name:
5114 type: string
5115 description: The name of the Secret resource being referred to.
5116 namespace:
5117 type: string
5118 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
5119 key:
5120 type: string
5121 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5122 required:
5123 - auth
5124 yandexlockbox:
5125 type: object
5126 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
5127 properties:
5128 apiEndpoint:
5129 type: string
5130 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
5131 auth:
5132 type: object
5133 description: Auth defines the information necessary to authenticate against Yandex Lockbox
5134 properties:
5135 authorizedKeySecretRef:
5136 type: object
5137 description: The authorized key used for authentication
5138 properties:
5139 name:
5140 type: string
5141 description: The name of the Secret resource being referred to.
5142 namespace:
5143 type: string
5144 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
5145 key:
5146 type: string
5147 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5148 caProvider:
5149 type: object
5150 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
5151 properties:
5152 certSecretRef:
5153 type: object
5154 description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
5155 properties:
5156 name:
5157 type: string
5158 description: The name of the Secret resource being referred to.
5159 namespace:
5160 type: string
5161 description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
5162 key:
5163 type: string
5164 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5165 required:
5166 - auth
5167 refreshInterval:
5168 type: integer
5169 description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
5170 retrySettings:
5171 type: object
5172 description: Used to configure http retries if failed
5173 properties:
5174 maxRetries:
5175 type: integer
5176 format: int32
5177 retryInterval:
5178 type: string
5179 required:
5180 - provider
5181 status:
5182 type: object
5183 description: SecretStoreStatus defines the observed state of the SecretStore.
5184 properties:
5185 conditions:
5186 type: array
5187 items:
5188 type: object
5189 properties:
5190 type:
5191 type: string
5192 status:
5193 type: string
5194 lastTransitionTime:
5195 type: string
5196 format: date-time
5197 message:
5198 type: string
5199 reason:
5200 type: string
5201 required:
5202 - status
5203 - type
5204 served: true
5205 storage: true
5206 subresources:
5207 status: {}
5208---
5209# Source: external-secrets/templates/cert-controller-serviceaccount.yaml
5210apiVersion: v1
5211kind: ServiceAccount
5212metadata:
5213 name: external-secrets-cert-controller
5214 namespace: "external-secrets"
5215 labels:
5216 app.kubernetes.io/instance: kexternal-secrets
5217 app.kubernetes.io/managed-by: Helm
5218 app.kubernetes.io/name: external-secrets-cert-controller
5219 app.kubernetes.io/version: "v0.5.4"
5220 helm.sh/chart: external-secrets-0.5.4
5221 annotations:
5222 iam.gke.io/gcp-service-account: ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
5223 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5224 pallet.edge.ncr.com/name: external-secrets-operator
5225 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5226 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5227 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5228 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5229---
5230# Source: external-secrets/templates/webhook-serviceaccount.yaml
5231apiVersion: v1
5232kind: ServiceAccount
5233metadata:
5234 name: external-secrets-webhook
5235 namespace: "external-secrets"
5236 labels:
5237 app.kubernetes.io/instance: kexternal-secrets
5238 app.kubernetes.io/managed-by: Helm
5239 app.kubernetes.io/name: external-secrets-webhook
5240 app.kubernetes.io/version: "v0.5.4"
5241 helm.sh/chart: external-secrets-0.5.4
5242 annotations:
5243 iam.gke.io/gcp-service-account: ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
5244 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5245 pallet.edge.ncr.com/name: external-secrets-operator
5246 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5247 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5248 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5249 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5250---
5251# Source: external-secrets/templates/serviceaccount.yaml
5252apiVersion: v1
5253kind: ServiceAccount
5254metadata:
5255 name: kexternal-secrets
5256 namespace: "external-secrets"
5257 labels:
5258 app.kubernetes.io/instance: kexternal-secrets
5259 app.kubernetes.io/managed-by: Helm
5260 app.kubernetes.io/name: external-secrets
5261 app.kubernetes.io/version: "v0.5.4"
5262 helm.sh/chart: external-secrets-0.5.4
5263 annotations:
5264 iam.gke.io/gcp-service-account: ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
5265 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5266 pallet.edge.ncr.com/name: external-secrets-operator
5267 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5268 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5269 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5270 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5271---
5272# Source: external-secrets/templates/rbac.yaml
5273apiVersion: rbac.authorization.k8s.io/v1
5274kind: Role
5275metadata:
5276 name: kexternal-secrets-leaderelection
5277 namespace: "external-secrets"
5278 labels:
5279 app.kubernetes.io/instance: kexternal-secrets
5280 app.kubernetes.io/managed-by: Helm
5281 app.kubernetes.io/name: external-secrets
5282 app.kubernetes.io/version: "v0.5.4"
5283 helm.sh/chart: external-secrets-0.5.4
5284 annotations:
5285 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5286 pallet.edge.ncr.com/name: external-secrets-operator
5287 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5288 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5289 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5290 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5291rules:
5292- resources:
5293 - "configmaps"
5294 apiGroups:
5295 - ""
5296 resourceNames:
5297 - "external-secrets-controller"
5298 verbs:
5299 - "get"
5300 - "update"
5301 - "patch"
5302- resources:
5303 - "configmaps"
5304 apiGroups:
5305 - ""
5306 verbs:
5307 - "create"
5308- resources:
5309 - "leases"
5310 apiGroups:
5311 - "coordination.k8s.io"
5312 verbs:
5313 - "get"
5314 - "create"
5315 - "update"
5316 - "patch"
5317---
5318# Source: external-secrets/templates/cert-controller-rbac.yaml
5319apiVersion: rbac.authorization.k8s.io/v1
5320kind: ClusterRole
5321metadata:
5322 name: kexternal-secrets-cert-controller
5323 labels:
5324 app.kubernetes.io/instance: kexternal-secrets
5325 app.kubernetes.io/managed-by: Helm
5326 app.kubernetes.io/name: external-secrets-cert-controller
5327 app.kubernetes.io/version: "v0.5.4"
5328 helm.sh/chart: external-secrets-0.5.4
5329 annotations:
5330 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5331 pallet.edge.ncr.com/name: external-secrets-operator
5332 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5333 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5334 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5335 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5336rules:
5337- resources:
5338 - "customresourcedefinitions"
5339 apiGroups:
5340 - "apiextensions.k8s.io"
5341 verbs:
5342 - "get"
5343 - "list"
5344 - "watch"
5345 - "update"
5346 - "patch"
5347- resources:
5348 - "validatingwebhookconfigurations"
5349 apiGroups:
5350 - "admissionregistration.k8s.io"
5351 verbs:
5352 - "get"
5353 - "list"
5354 - "watch"
5355 - "update"
5356 - "patch"
5357- resources:
5358 - "endpoints"
5359 apiGroups:
5360 - ""
5361 verbs:
5362 - "list"
5363 - "get"
5364 - "watch"
5365- resources:
5366 - "events"
5367 apiGroups:
5368 - ""
5369 verbs:
5370 - "create"
5371 - "patch"
5372- resources:
5373 - "secrets"
5374 apiGroups:
5375 - ""
5376 verbs:
5377 - "get"
5378 - "list"
5379 - "watch"
5380 - "update"
5381 - "patch"
5382---
5383# Source: external-secrets/templates/rbac.yaml
5384apiVersion: rbac.authorization.k8s.io/v1
5385kind: ClusterRole
5386metadata:
5387 name: kexternal-secrets-controller
5388 labels:
5389 app.kubernetes.io/instance: kexternal-secrets
5390 app.kubernetes.io/managed-by: Helm
5391 app.kubernetes.io/name: external-secrets
5392 app.kubernetes.io/version: "v0.5.4"
5393 helm.sh/chart: external-secrets-0.5.4
5394 annotations:
5395 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5396 pallet.edge.ncr.com/name: external-secrets-operator
5397 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5398 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5399 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5400 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5401rules:
5402- resources:
5403 - "secretstores"
5404 - "clustersecretstores"
5405 - "externalsecrets"
5406 - "clusterexternalsecrets"
5407 apiGroups:
5408 - "external-secrets.io"
5409 verbs:
5410 - "get"
5411 - "list"
5412 - "watch"
5413- resources:
5414 - "externalsecrets"
5415 - "externalsecrets/status"
5416 - "externalsecrets/finalizers"
5417 - "secretstores"
5418 - "secretstores/status"
5419 - "secretstores/finalizers"
5420 - "clustersecretstores"
5421 - "clustersecretstores/status"
5422 - "clustersecretstores/finalizers"
5423 - "clusterexternalsecrets"
5424 - "clusterexternalsecrets/status"
5425 - "clusterexternalsecrets/finalizers"
5426 apiGroups:
5427 - "external-secrets.io"
5428 verbs:
5429 - "update"
5430 - "patch"
5431- resources:
5432 - "serviceaccounts"
5433 - "namespaces"
5434 apiGroups:
5435 - ""
5436 verbs:
5437 - "get"
5438 - "list"
5439 - "watch"
5440- resources:
5441 - "configmaps"
5442 apiGroups:
5443 - ""
5444 verbs:
5445 - "get"
5446 - "list"
5447 - "watch"
5448- resources:
5449 - "secrets"
5450 apiGroups:
5451 - ""
5452 verbs:
5453 - "get"
5454 - "list"
5455 - "watch"
5456 - "create"
5457 - "update"
5458 - "delete"
5459 - "patch"
5460- resources:
5461 - "serviceaccounts/token"
5462 apiGroups:
5463 - ""
5464 verbs:
5465 - "create"
5466- resources:
5467 - "events"
5468 apiGroups:
5469 - ""
5470 verbs:
5471 - "create"
5472 - "patch"
5473- resources:
5474 - "externalsecrets"
5475 apiGroups:
5476 - "external-secrets.io"
5477 verbs:
5478 - "create"
5479 - "update"
5480---
5481# Source: external-secrets/templates/rbac.yaml
5482apiVersion: rbac.authorization.k8s.io/v1
5483kind: ClusterRole
5484metadata:
5485 name: kexternal-secrets-edit
5486 labels:
5487 app.kubernetes.io/instance: kexternal-secrets
5488 app.kubernetes.io/managed-by: Helm
5489 app.kubernetes.io/name: external-secrets
5490 app.kubernetes.io/version: "v0.5.4"
5491 helm.sh/chart: external-secrets-0.5.4
5492 rbac.authorization.k8s.io/aggregate-to-admin: "true"
5493 rbac.authorization.k8s.io/aggregate-to-edit: "true"
5494 annotations:
5495 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5496 pallet.edge.ncr.com/name: external-secrets-operator
5497 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5498 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5499 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5500 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5501rules:
5502- resources:
5503 - "externalsecrets"
5504 - "secretstores"
5505 - "clustersecretstores"
5506 apiGroups:
5507 - "external-secrets.io"
5508 verbs:
5509 - "create"
5510 - "delete"
5511 - "deletecollection"
5512 - "patch"
5513 - "update"
5514---
5515# Source: external-secrets/templates/rbac.yaml
5516apiVersion: rbac.authorization.k8s.io/v1
5517kind: ClusterRole
5518metadata:
5519 name: kexternal-secrets-view
5520 labels:
5521 app.kubernetes.io/instance: kexternal-secrets
5522 app.kubernetes.io/managed-by: Helm
5523 app.kubernetes.io/name: external-secrets
5524 app.kubernetes.io/version: "v0.5.4"
5525 helm.sh/chart: external-secrets-0.5.4
5526 rbac.authorization.k8s.io/aggregate-to-admin: "true"
5527 rbac.authorization.k8s.io/aggregate-to-edit: "true"
5528 rbac.authorization.k8s.io/aggregate-to-view: "true"
5529 annotations:
5530 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5531 pallet.edge.ncr.com/name: external-secrets-operator
5532 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5533 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5534 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5535 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5536rules:
5537- resources:
5538 - "externalsecrets"
5539 - "secretstores"
5540 - "clustersecretstores"
5541 apiGroups:
5542 - "external-secrets.io"
5543 verbs:
5544 - "get"
5545 - "watch"
5546 - "list"
5547---
5548# Source: external-secrets/templates/rbac.yaml
5549apiVersion: rbac.authorization.k8s.io/v1
5550kind: RoleBinding
5551metadata:
5552 name: kexternal-secrets-leaderelection
5553 namespace: "external-secrets"
5554 labels:
5555 app.kubernetes.io/instance: kexternal-secrets
5556 app.kubernetes.io/managed-by: Helm
5557 app.kubernetes.io/name: external-secrets
5558 app.kubernetes.io/version: "v0.5.4"
5559 helm.sh/chart: external-secrets-0.5.4
5560 annotations:
5561 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5562 pallet.edge.ncr.com/name: external-secrets-operator
5563 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5564 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5565 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5566 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5567roleRef:
5568 name: kexternal-secrets-leaderelection
5569 kind: Role
5570 apiGroup: rbac.authorization.k8s.io
5571subjects:
5572- name: kexternal-secrets
5573 namespace: "external-secrets"
5574 kind: ServiceAccount
5575---
5576# Source: external-secrets/templates/cert-controller-rbac.yaml
5577apiVersion: rbac.authorization.k8s.io/v1
5578kind: ClusterRoleBinding
5579metadata:
5580 name: kexternal-secrets-cert-controller
5581 labels:
5582 app.kubernetes.io/instance: kexternal-secrets
5583 app.kubernetes.io/managed-by: Helm
5584 app.kubernetes.io/name: external-secrets-cert-controller
5585 app.kubernetes.io/version: "v0.5.4"
5586 helm.sh/chart: external-secrets-0.5.4
5587 annotations:
5588 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5589 pallet.edge.ncr.com/name: external-secrets-operator
5590 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5591 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5592 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5593 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5594roleRef:
5595 name: kexternal-secrets-cert-controller
5596 kind: ClusterRole
5597 apiGroup: rbac.authorization.k8s.io
5598subjects:
5599- name: external-secrets-cert-controller
5600 namespace: "external-secrets"
5601 kind: ServiceAccount
5602---
5603# Source: external-secrets/templates/rbac.yaml
5604apiVersion: rbac.authorization.k8s.io/v1
5605kind: ClusterRoleBinding
5606metadata:
5607 name: kexternal-secrets-controller
5608 labels:
5609 app.kubernetes.io/instance: kexternal-secrets
5610 app.kubernetes.io/managed-by: Helm
5611 app.kubernetes.io/name: external-secrets
5612 app.kubernetes.io/version: "v0.5.4"
5613 helm.sh/chart: external-secrets-0.5.4
5614 annotations:
5615 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5616 pallet.edge.ncr.com/name: external-secrets-operator
5617 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5618 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5619 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5620 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5621roleRef:
5622 name: kexternal-secrets-controller
5623 kind: ClusterRole
5624 apiGroup: rbac.authorization.k8s.io
5625subjects:
5626- name: kexternal-secrets
5627 namespace: "external-secrets"
5628 kind: ServiceAccount
5629---
5630# Source: external-secrets/templates/webhook-secret.yaml
5631apiVersion: v1
5632kind: Secret
5633metadata:
5634 name: kexternal-secrets-webhook
5635 namespace: "external-secrets"
5636 labels:
5637 app.kubernetes.io/instance: kexternal-secrets
5638 app.kubernetes.io/managed-by: Helm
5639 app.kubernetes.io/name: external-secrets-webhook
5640 app.kubernetes.io/version: "v0.5.4"
5641 external-secrets.io/component: webhook
5642 helm.sh/chart: external-secrets-0.5.4
5643 annotations:
5644 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5645 pallet.edge.ncr.com/name: external-secrets-operator
5646 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5647 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5648 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5649 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5650---
5651# Source: external-secrets/templates/webhook-service.yaml
5652apiVersion: v1
5653kind: Service
5654metadata:
5655 name: kexternal-secrets-webhook
5656 namespace: "external-secrets"
5657 labels:
5658 app.kubernetes.io/instance: kexternal-secrets
5659 app.kubernetes.io/managed-by: Helm
5660 app.kubernetes.io/name: external-secrets-webhook
5661 app.kubernetes.io/version: "v0.5.4"
5662 external-secrets.io/component: webhook
5663 helm.sh/chart: external-secrets-0.5.4
5664 annotations:
5665 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5666 pallet.edge.ncr.com/name: external-secrets-operator
5667 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5668 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5669 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5670 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5671spec:
5672 type: ClusterIP
5673 selector:
5674 app.kubernetes.io/instance: kexternal-secrets
5675 app.kubernetes.io/name: external-secrets-webhook
5676 ports:
5677 - name: webhook
5678 protocol: TCP
5679 port: 443
5680 targetPort: 10250
5681---
5682apiVersion: apps/v1
5683kind: Deployment
5684metadata:
5685 labels:
5686 app.kubernetes.io/instance: kexternal-secrets
5687 app.kubernetes.io/managed-by: Helm
5688 app.kubernetes.io/name: external-secrets
5689 app.kubernetes.io/version: v0.5.4
5690 helm.sh/chart: external-secrets-0.5.4
5691 name: kexternal-secrets
5692 namespace: external-secrets
5693 annotations:
5694 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5695 pallet.edge.ncr.com/name: external-secrets-operator
5696 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5697 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5698 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5699 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5700spec:
5701 replicas: 1
5702 selector:
5703 matchLabels:
5704 app.kubernetes.io/instance: kexternal-secrets
5705 app.kubernetes.io/name: external-secrets
5706 template:
5707 metadata:
5708 labels:
5709 app.kubernetes.io/instance: kexternal-secrets
5710 app.kubernetes.io/name: external-secrets
5711 annotations:
5712 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5713 pallet.edge.ncr.com/name: external-secrets-operator
5714 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5715 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5716 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5717 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5718 spec:
5719 containers:
5720 - args:
5721 - --concurrent=1
5722 image: ghcr.io/external-secrets/external-secrets:v0.5.4
5723 imagePullPolicy: IfNotPresent
5724 name: external-secrets
5725 ports:
5726 - containerPort: 8080
5727 name: metrics
5728 protocol: TCP
5729 - containerPort: 8081
5730 name: health
5731 protocol: TCP
5732 serviceAccountName: kexternal-secrets
5733---
5734apiVersion: apps/v1
5735kind: Deployment
5736metadata:
5737 labels:
5738 app.kubernetes.io/instance: kexternal-secrets
5739 app.kubernetes.io/managed-by: Helm
5740 app.kubernetes.io/name: external-secrets-cert-controller
5741 app.kubernetes.io/version: v0.5.4
5742 helm.sh/chart: external-secrets-0.5.4
5743 name: kexternal-secrets-cert-controller
5744 namespace: external-secrets
5745 annotations:
5746 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5747 pallet.edge.ncr.com/name: external-secrets-operator
5748 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5749 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5750 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5751 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5752spec:
5753 replicas: 1
5754 selector:
5755 matchLabels:
5756 app.kubernetes.io/instance: kexternal-secrets
5757 app.kubernetes.io/name: external-secrets-cert-controller
5758 template:
5759 metadata:
5760 labels:
5761 app.kubernetes.io/instance: kexternal-secrets
5762 app.kubernetes.io/name: external-secrets-cert-controller
5763 annotations:
5764 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5765 pallet.edge.ncr.com/name: external-secrets-operator
5766 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5767 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5768 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5769 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5770 spec:
5771 containers:
5772 - args:
5773 - certcontroller
5774 - --crd-requeue-interval=5m
5775 - --service-name=kexternal-secrets-webhook
5776 - --service-namespace=external-secrets
5777 - --secret-name=kexternal-secrets-webhook
5778 - --secret-namespace=external-secrets
5779 image: ghcr.io/external-secrets/external-secrets:v0.5.4
5780 imagePullPolicy: IfNotPresent
5781 name: cert-controller
5782 ports:
5783 - containerPort: 8080
5784 name: metrics
5785 protocol: TCP
5786 - containerPort: 8081
5787 name: health
5788 protocol: TCP
5789 readinessProbe:
5790 httpGet:
5791 path: /readyz
5792 port: 8081
5793 initialDelaySeconds: 20
5794 periodSeconds: 5
5795 serviceAccountName: external-secrets-cert-controller
5796---
5797apiVersion: apps/v1
5798kind: Deployment
5799metadata:
5800 labels:
5801 app.kubernetes.io/instance: kexternal-secrets
5802 app.kubernetes.io/managed-by: Helm
5803 app.kubernetes.io/name: external-secrets-webhook
5804 app.kubernetes.io/version: v0.5.4
5805 helm.sh/chart: external-secrets-0.5.4
5806 name: kexternal-secrets-webhook
5807 namespace: external-secrets
5808 annotations:
5809 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5810 pallet.edge.ncr.com/name: external-secrets-operator
5811 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5812 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5813 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5814 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5815spec:
5816 replicas: 1
5817 selector:
5818 matchLabels:
5819 app.kubernetes.io/instance: kexternal-secrets
5820 app.kubernetes.io/name: external-secrets-webhook
5821 template:
5822 metadata:
5823 labels:
5824 app.kubernetes.io/instance: kexternal-secrets
5825 app.kubernetes.io/name: external-secrets-webhook
5826 annotations:
5827 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5828 pallet.edge.ncr.com/name: external-secrets-operator
5829 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5830 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5831 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5832 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5833 spec:
5834 containers:
5835 - args:
5836 - webhook
5837 - --port=10250
5838 - --dns-name=kexternal-secrets-webhook.external-secrets.svc
5839 - --cert-dir=/tmp/certs
5840 - --check-interval=5m
5841 image: ghcr.io/external-secrets/external-secrets:v0.5.4
5842 imagePullPolicy: IfNotPresent
5843 name: webhook
5844 ports:
5845 - containerPort: 8080
5846 name: metrics
5847 protocol: TCP
5848 - containerPort: 10250
5849 name: webhook
5850 protocol: TCP
5851 - containerPort: 8081
5852 name: health
5853 protocol: TCP
5854 readinessProbe:
5855 httpGet:
5856 path: /readyz
5857 port: 8081
5858 initialDelaySeconds: 20
5859 periodSeconds: 5
5860 volumeMounts:
5861 - mountPath: /tmp/certs
5862 name: certs
5863 readOnly: true
5864 hostNetwork: false
5865 serviceAccountName: external-secrets-webhook
5866 volumes:
5867 - name: certs
5868 secret:
5869 secretName: kexternal-secrets-webhook
5870---
5871# Source: external-secrets/templates/validatingwebhook.yaml
5872apiVersion: admissionregistration.k8s.io/v1
5873kind: ValidatingWebhookConfiguration
5874metadata:
5875 name: externalsecret-validate
5876 labels:
5877 external-secrets.io/component: webhook
5878 cluster_hash: ${cluster_hash}
5879 cluster_uuid: ${cluster_uuid}
5880 annotations:
5881 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5882 pallet.edge.ncr.com/name: external-secrets-operator
5883 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5884 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5885 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5886 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5887webhooks:
5888- name: "validate.externalsecret.external-secrets.io"
5889 admissionReviewVersions: ["v1", "v1beta1"]
5890 clientConfig:
5891 service:
5892 name: kexternal-secrets-webhook
5893 namespace: "external-secrets"
5894 path: /validate-external-secrets-io-v1beta1-externalsecret
5895 failurePolicy: Fail
5896 rules:
5897 - resources: ["externalsecrets"]
5898 apiGroups: ["external-secrets.io"]
5899 apiVersions: ["v1beta1"]
5900 operations: ["CREATE", "DELETE", "UPDATE"]
5901 scope: "Namespaced"
5902 sideEffects: None
5903 timeoutSeconds: 5
5904---
5905# Source: external-secrets/templates/validatingwebhook.yaml
5906apiVersion: admissionregistration.k8s.io/v1
5907kind: ValidatingWebhookConfiguration
5908metadata:
5909 name: secretstore-validate
5910 labels:
5911 external-secrets.io/component: webhook
5912 cluster_hash: ${cluster_hash}
5913 cluster_uuid: ${cluster_uuid}
5914 annotations:
5915 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5916 pallet.edge.ncr.com/name: external-secrets-operator
5917 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5918 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5919 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5920 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5921webhooks:
5922- name: "validate.clustersecretstore.external-secrets.io"
5923 admissionReviewVersions: ["v1", "v1beta1"]
5924 clientConfig:
5925 service:
5926 name: kexternal-secrets-webhook
5927 namespace: "external-secrets"
5928 path: /validate-external-secrets-io-v1beta1-clustersecretstore
5929 rules:
5930 - resources: ["clustersecretstores"]
5931 apiGroups: ["external-secrets.io"]
5932 apiVersions: ["v1beta1"]
5933 operations: ["CREATE", "DELETE", "UPDATE"]
5934 scope: "Cluster"
5935 sideEffects: None
5936 timeoutSeconds: 5
5937- name: "validate.secretstore.external-secrets.io"
5938 admissionReviewVersions: ["v1", "v1beta1"]
5939 clientConfig:
5940 service:
5941 name: kexternal-secrets-webhook
5942 namespace: "external-secrets"
5943 path: /validate-external-secrets-io-v1beta1-secretstore
5944 rules:
5945 - resources: ["secretstores"]
5946 apiGroups: ["external-secrets.io"]
5947 apiVersions: ["v1beta1"]
5948 operations: ["CREATE", "DELETE", "UPDATE"]
5949 scope: "Namespaced"
5950 sideEffects: None
5951 timeoutSeconds: 5
View as plain text