1---
2# Source: external-secrets/templates/cert-controller-serviceaccount.yaml
3apiVersion: v1
4kind: ServiceAccount
5metadata:
6 name: external-secrets-cert-controller
7 namespace: default
8 labels:
9 helm.sh/chart: external-secrets-v0.9.16
10 app.kubernetes.io/name: external-secrets-cert-controller
11 app.kubernetes.io/instance: external-secrets
12 app.kubernetes.io/version: "v0.9.16"
13 app.kubernetes.io/managed-by: Helm
14---
15# Source: external-secrets/templates/serviceaccount.yaml
16apiVersion: v1
17kind: ServiceAccount
18metadata:
19 name: external-secrets
20 namespace: default
21 labels:
22 helm.sh/chart: external-secrets-v0.9.16
23 app.kubernetes.io/name: external-secrets
24 app.kubernetes.io/instance: external-secrets
25 app.kubernetes.io/version: "v0.9.16"
26 app.kubernetes.io/managed-by: Helm
27---
28# Source: external-secrets/templates/webhook-serviceaccount.yaml
29apiVersion: v1
30kind: ServiceAccount
31metadata:
32 name: external-secrets-webhook
33 namespace: default
34 labels:
35 helm.sh/chart: external-secrets-v0.9.16
36 app.kubernetes.io/name: external-secrets-webhook
37 app.kubernetes.io/instance: external-secrets
38 app.kubernetes.io/version: "v0.9.16"
39 app.kubernetes.io/managed-by: Helm
40---
41# Source: external-secrets/templates/webhook-secret.yaml
42apiVersion: v1
43kind: Secret
44metadata:
45 name: external-secrets-webhook
46 namespace: default
47 labels:
48 helm.sh/chart: external-secrets-v0.9.16
49 app.kubernetes.io/name: external-secrets-webhook
50 app.kubernetes.io/instance: external-secrets
51 app.kubernetes.io/version: "v0.9.16"
52 app.kubernetes.io/managed-by: Helm
53 external-secrets.io/component: webhook
54---
55# Source: external-secrets/templates/crds/acraccesstoken.yaml
56apiVersion: apiextensions.k8s.io/v1
57kind: CustomResourceDefinition
58metadata:
59 annotations:
60 controller-gen.kubebuilder.io/version: v0.14.0
61 name: acraccesstokens.generators.external-secrets.io
62spec:
63 group: generators.external-secrets.io
64 names:
65 categories:
66 - acraccesstoken
67 kind: ACRAccessToken
68 listKind: ACRAccessTokenList
69 plural: acraccesstokens
70 shortNames:
71 - acraccesstoken
72 singular: acraccesstoken
73 scope: Namespaced
74 versions:
75 - name: v1alpha1
76 schema:
77 openAPIV3Schema:
78 description: |-
79 ACRAccessToken returns a Azure Container Registry token
80 that can be used for pushing/pulling images.
81 Note: by default it will return an ACR Refresh Token with full access
82 (depending on the identity).
83 This can be scoped down to the repository level using .spec.scope.
84 In case scope is defined it will return an ACR Access Token.
85
86
87 See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
88 properties:
89 apiVersion:
90 description: |-
91 APIVersion defines the versioned schema of this representation of an object.
92 Servers should convert recognized schemas to the latest internal value, and
93 may reject unrecognized values.
94 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
95 type: string
96 kind:
97 description: |-
98 Kind is a string value representing the REST resource this object represents.
99 Servers may infer this from the endpoint the client submits requests to.
100 Cannot be updated.
101 In CamelCase.
102 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
103 type: string
104 metadata:
105 type: object
106 spec:
107 description: |-
108 ACRAccessTokenSpec defines how to generate the access token
109 e.g. how to authenticate and which registry to use.
110 see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
111 properties:
112 auth:
113 properties:
114 managedIdentity:
115 description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
116 properties:
117 identityId:
118 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
119 type: string
120 type: object
121 servicePrincipal:
122 description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
123 properties:
124 secretRef:
125 description: |-
126 Configuration used to authenticate with Azure using static
127 credentials stored in a Kind=Secret.
128 properties:
129 clientId:
130 description: The Azure clientId of the service principle used for authentication.
131 properties:
132 key:
133 description: |-
134 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
135 defaulted, in others it may be required.
136 type: string
137 name:
138 description: The name of the Secret resource being referred to.
139 type: string
140 namespace:
141 description: |-
142 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
143 to the namespace of the referent.
144 type: string
145 type: object
146 clientSecret:
147 description: The Azure ClientSecret of the service principle used for authentication.
148 properties:
149 key:
150 description: |-
151 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
152 defaulted, in others it may be required.
153 type: string
154 name:
155 description: The name of the Secret resource being referred to.
156 type: string
157 namespace:
158 description: |-
159 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
160 to the namespace of the referent.
161 type: string
162 type: object
163 type: object
164 required:
165 - secretRef
166 type: object
167 workloadIdentity:
168 description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
169 properties:
170 serviceAccountRef:
171 description: |-
172 ServiceAccountRef specified the service account
173 that should be used when authenticating with WorkloadIdentity.
174 properties:
175 audiences:
176 description: |-
177 Audience specifies the `aud` claim for the service account token
178 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
179 then this audiences will be appended to the list
180 items:
181 type: string
182 type: array
183 name:
184 description: The name of the ServiceAccount resource being referred to.
185 type: string
186 namespace:
187 description: |-
188 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
189 to the namespace of the referent.
190 type: string
191 required:
192 - name
193 type: object
194 type: object
195 type: object
196 environmentType:
197 default: PublicCloud
198 description: |-
199 EnvironmentType specifies the Azure cloud environment endpoints to use for
200 connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
201 The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
202 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
203 enum:
204 - PublicCloud
205 - USGovernmentCloud
206 - ChinaCloud
207 - GermanCloud
208 type: string
209 registry:
210 description: |-
211 the domain name of the ACR registry
212 e.g. foobarexample.azurecr.io
213 type: string
214 scope:
215 description: |-
216 Define the scope for the access token, e.g. pull/push access for a repository.
217 if not provided it will return a refresh token that has full scope.
218 Note: you need to pin it down to the repository level, there is no wildcard available.
219
220
221 examples:
222 repository:my-repository:pull,push
223 repository:my-repository:pull
224
225
226 see docs for details: https://docs.docker.com/registry/spec/auth/scope/
227 type: string
228 tenantId:
229 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
230 type: string
231 required:
232 - auth
233 - registry
234 type: object
235 type: object
236 served: true
237 storage: true
238 subresources:
239 status: {}
240 conversion:
241 strategy: Webhook
242 webhook:
243 conversionReviewVersions:
244 - v1
245 clientConfig:
246 service:
247 name: external-secrets-webhook
248 namespace: "default"
249 path: /convert
250---
251# Source: external-secrets/templates/crds/clusterexternalsecret.yaml
252apiVersion: apiextensions.k8s.io/v1
253kind: CustomResourceDefinition
254metadata:
255 annotations:
256 controller-gen.kubebuilder.io/version: v0.14.0
257 name: clusterexternalsecrets.external-secrets.io
258spec:
259 group: external-secrets.io
260 names:
261 categories:
262 - externalsecrets
263 kind: ClusterExternalSecret
264 listKind: ClusterExternalSecretList
265 plural: clusterexternalsecrets
266 shortNames:
267 - ces
268 singular: clusterexternalsecret
269 scope: Cluster
270 versions:
271 - additionalPrinterColumns:
272 - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
273 name: Store
274 type: string
275 - jsonPath: .spec.refreshTime
276 name: Refresh Interval
277 type: string
278 - jsonPath: .status.conditions[?(@.type=="Ready")].status
279 name: Ready
280 type: string
281 name: v1beta1
282 schema:
283 openAPIV3Schema:
284 description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
285 properties:
286 apiVersion:
287 description: |-
288 APIVersion defines the versioned schema of this representation of an object.
289 Servers should convert recognized schemas to the latest internal value, and
290 may reject unrecognized values.
291 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
292 type: string
293 kind:
294 description: |-
295 Kind is a string value representing the REST resource this object represents.
296 Servers may infer this from the endpoint the client submits requests to.
297 Cannot be updated.
298 In CamelCase.
299 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
300 type: string
301 metadata:
302 type: object
303 spec:
304 description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
305 properties:
306 externalSecretMetadata:
307 description: The metadata of the external secrets to be created
308 properties:
309 annotations:
310 additionalProperties:
311 type: string
312 type: object
313 labels:
314 additionalProperties:
315 type: string
316 type: object
317 type: object
318 externalSecretName:
319 description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
320 type: string
321 externalSecretSpec:
322 description: The spec for the ExternalSecrets to be created
323 properties:
324 data:
325 description: Data defines the connection between the Kubernetes Secret keys and the Provider data
326 items:
327 description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
328 properties:
329 remoteRef:
330 description: |-
331 RemoteRef points to the remote secret and defines
332 which secret (version/property/..) to fetch.
333 properties:
334 conversionStrategy:
335 default: Default
336 description: Used to define a conversion Strategy
337 enum:
338 - Default
339 - Unicode
340 type: string
341 decodingStrategy:
342 default: None
343 description: Used to define a decoding Strategy
344 enum:
345 - Auto
346 - Base64
347 - Base64URL
348 - None
349 type: string
350 key:
351 description: Key is the key used in the Provider, mandatory
352 type: string
353 metadataPolicy:
354 default: None
355 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
356 enum:
357 - None
358 - Fetch
359 type: string
360 property:
361 description: Used to select a specific property of the Provider value (if a map), if supported
362 type: string
363 version:
364 description: Used to select a specific version of the Provider value, if supported
365 type: string
366 required:
367 - key
368 type: object
369 secretKey:
370 description: |-
371 SecretKey defines the key in which the controller stores
372 the value. This is the key in the Kind=Secret
373 type: string
374 sourceRef:
375 description: |-
376 SourceRef allows you to override the source
377 from which the value will pulled from.
378 maxProperties: 1
379 properties:
380 generatorRef:
381 description: |-
382 GeneratorRef points to a generator custom resource.
383
384
385 Deprecated: The generatorRef is not implemented in .data[].
386 this will be removed with v1.
387 properties:
388 apiVersion:
389 default: generators.external-secrets.io/v1alpha1
390 description: Specify the apiVersion of the generator resource
391 type: string
392 kind:
393 description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
394 type: string
395 name:
396 description: Specify the name of the generator resource
397 type: string
398 required:
399 - kind
400 - name
401 type: object
402 storeRef:
403 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
404 properties:
405 kind:
406 description: |-
407 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
408 Defaults to `SecretStore`
409 type: string
410 name:
411 description: Name of the SecretStore resource
412 type: string
413 required:
414 - name
415 type: object
416 type: object
417 required:
418 - remoteRef
419 - secretKey
420 type: object
421 type: array
422 dataFrom:
423 description: |-
424 DataFrom is used to fetch all properties from a specific Provider data
425 If multiple entries are specified, the Secret keys are merged in the specified order
426 items:
427 properties:
428 extract:
429 description: |-
430 Used to extract multiple key/value pairs from one secret
431 Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
432 properties:
433 conversionStrategy:
434 default: Default
435 description: Used to define a conversion Strategy
436 enum:
437 - Default
438 - Unicode
439 type: string
440 decodingStrategy:
441 default: None
442 description: Used to define a decoding Strategy
443 enum:
444 - Auto
445 - Base64
446 - Base64URL
447 - None
448 type: string
449 key:
450 description: Key is the key used in the Provider, mandatory
451 type: string
452 metadataPolicy:
453 default: None
454 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
455 enum:
456 - None
457 - Fetch
458 type: string
459 property:
460 description: Used to select a specific property of the Provider value (if a map), if supported
461 type: string
462 version:
463 description: Used to select a specific version of the Provider value, if supported
464 type: string
465 required:
466 - key
467 type: object
468 find:
469 description: |-
470 Used to find secrets based on tags or regular expressions
471 Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
472 properties:
473 conversionStrategy:
474 default: Default
475 description: Used to define a conversion Strategy
476 enum:
477 - Default
478 - Unicode
479 type: string
480 decodingStrategy:
481 default: None
482 description: Used to define a decoding Strategy
483 enum:
484 - Auto
485 - Base64
486 - Base64URL
487 - None
488 type: string
489 name:
490 description: Finds secrets based on the name.
491 properties:
492 regexp:
493 description: Finds secrets base
494 type: string
495 type: object
496 path:
497 description: A root path to start the find operations.
498 type: string
499 tags:
500 additionalProperties:
501 type: string
502 description: Find secrets based on tags.
503 type: object
504 type: object
505 rewrite:
506 description: |-
507 Used to rewrite secret Keys after getting them from the secret Provider
508 Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
509 items:
510 properties:
511 regexp:
512 description: |-
513 Used to rewrite with regular expressions.
514 The resulting key will be the output of a regexp.ReplaceAll operation.
515 properties:
516 source:
517 description: Used to define the regular expression of a re.Compiler.
518 type: string
519 target:
520 description: Used to define the target pattern of a ReplaceAll operation.
521 type: string
522 required:
523 - source
524 - target
525 type: object
526 transform:
527 description: |-
528 Used to apply string transformation on the secrets.
529 The resulting key will be the output of the template applied by the operation.
530 properties:
531 template:
532 description: |-
533 Used to define the template to apply on the secret name.
534 `.value ` will specify the secret name in the template.
535 type: string
536 required:
537 - template
538 type: object
539 type: object
540 type: array
541 sourceRef:
542 description: |-
543 SourceRef points to a store or generator
544 which contains secret values ready to use.
545 Use this in combination with Extract or Find pull values out of
546 a specific SecretStore.
547 When sourceRef points to a generator Extract or Find is not supported.
548 The generator returns a static map of values
549 maxProperties: 1
550 properties:
551 generatorRef:
552 description: GeneratorRef points to a generator custom resource.
553 properties:
554 apiVersion:
555 default: generators.external-secrets.io/v1alpha1
556 description: Specify the apiVersion of the generator resource
557 type: string
558 kind:
559 description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
560 type: string
561 name:
562 description: Specify the name of the generator resource
563 type: string
564 required:
565 - kind
566 - name
567 type: object
568 storeRef:
569 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
570 properties:
571 kind:
572 description: |-
573 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
574 Defaults to `SecretStore`
575 type: string
576 name:
577 description: Name of the SecretStore resource
578 type: string
579 required:
580 - name
581 type: object
582 type: object
583 type: object
584 type: array
585 refreshInterval:
586 default: 1h
587 description: |-
588 RefreshInterval is the amount of time before the values are read again from the SecretStore provider
589 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
590 May be set to zero to fetch and create it once. Defaults to 1h.
591 type: string
592 secretStoreRef:
593 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
594 properties:
595 kind:
596 description: |-
597 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
598 Defaults to `SecretStore`
599 type: string
600 name:
601 description: Name of the SecretStore resource
602 type: string
603 required:
604 - name
605 type: object
606 target:
607 default:
608 creationPolicy: Owner
609 deletionPolicy: Retain
610 description: |-
611 ExternalSecretTarget defines the Kubernetes Secret to be created
612 There can be only one target per ExternalSecret.
613 properties:
614 creationPolicy:
615 default: Owner
616 description: |-
617 CreationPolicy defines rules on how to create the resulting Secret
618 Defaults to 'Owner'
619 enum:
620 - Owner
621 - Orphan
622 - Merge
623 - None
624 type: string
625 deletionPolicy:
626 default: Retain
627 description: |-
628 DeletionPolicy defines rules on how to delete the resulting Secret
629 Defaults to 'Retain'
630 enum:
631 - Delete
632 - Merge
633 - Retain
634 type: string
635 immutable:
636 description: Immutable defines if the final secret will be immutable
637 type: boolean
638 name:
639 description: |-
640 Name defines the name of the Secret resource to be managed
641 This field is immutable
642 Defaults to the .metadata.name of the ExternalSecret resource
643 type: string
644 template:
645 description: Template defines a blueprint for the created Secret resource.
646 properties:
647 data:
648 additionalProperties:
649 type: string
650 type: object
651 engineVersion:
652 default: v2
653 description: |-
654 EngineVersion specifies the template engine version
655 that should be used to compile/execute the
656 template specified in .data and .templateFrom[].
657 enum:
658 - v1
659 - v2
660 type: string
661 mergePolicy:
662 default: Replace
663 enum:
664 - Replace
665 - Merge
666 type: string
667 metadata:
668 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
669 properties:
670 annotations:
671 additionalProperties:
672 type: string
673 type: object
674 labels:
675 additionalProperties:
676 type: string
677 type: object
678 type: object
679 templateFrom:
680 items:
681 properties:
682 configMap:
683 properties:
684 items:
685 items:
686 properties:
687 key:
688 type: string
689 templateAs:
690 default: Values
691 enum:
692 - Values
693 - KeysAndValues
694 type: string
695 required:
696 - key
697 type: object
698 type: array
699 name:
700 type: string
701 required:
702 - items
703 - name
704 type: object
705 literal:
706 type: string
707 secret:
708 properties:
709 items:
710 items:
711 properties:
712 key:
713 type: string
714 templateAs:
715 default: Values
716 enum:
717 - Values
718 - KeysAndValues
719 type: string
720 required:
721 - key
722 type: object
723 type: array
724 name:
725 type: string
726 required:
727 - items
728 - name
729 type: object
730 target:
731 default: Data
732 enum:
733 - Data
734 - Annotations
735 - Labels
736 type: string
737 type: object
738 type: array
739 type:
740 type: string
741 type: object
742 type: object
743 type: object
744 namespaceSelector:
745 description: |-
746 The labels to select by to find the Namespaces to create the ExternalSecrets in.
747 Deprecated: Use NamespaceSelectors instead.
748 properties:
749 matchExpressions:
750 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
751 items:
752 description: |-
753 A label selector requirement is a selector that contains values, a key, and an operator that
754 relates the key and values.
755 properties:
756 key:
757 description: key is the label key that the selector applies to.
758 type: string
759 operator:
760 description: |-
761 operator represents a key's relationship to a set of values.
762 Valid operators are In, NotIn, Exists and DoesNotExist.
763 type: string
764 values:
765 description: |-
766 values is an array of string values. If the operator is In or NotIn,
767 the values array must be non-empty. If the operator is Exists or DoesNotExist,
768 the values array must be empty. This array is replaced during a strategic
769 merge patch.
770 items:
771 type: string
772 type: array
773 required:
774 - key
775 - operator
776 type: object
777 type: array
778 matchLabels:
779 additionalProperties:
780 type: string
781 description: |-
782 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
783 map is equivalent to an element of matchExpressions, whose key field is "key", the
784 operator is "In", and the values array contains only "value". The requirements are ANDed.
785 type: object
786 type: object
787 x-kubernetes-map-type: atomic
788 namespaceSelectors:
789 description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
790 items:
791 description: |-
792 A label selector is a label query over a set of resources. The result of matchLabels and
793 matchExpressions are ANDed. An empty label selector matches all objects. A null
794 label selector matches no objects.
795 properties:
796 matchExpressions:
797 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
798 items:
799 description: |-
800 A label selector requirement is a selector that contains values, a key, and an operator that
801 relates the key and values.
802 properties:
803 key:
804 description: key is the label key that the selector applies to.
805 type: string
806 operator:
807 description: |-
808 operator represents a key's relationship to a set of values.
809 Valid operators are In, NotIn, Exists and DoesNotExist.
810 type: string
811 values:
812 description: |-
813 values is an array of string values. If the operator is In or NotIn,
814 the values array must be non-empty. If the operator is Exists or DoesNotExist,
815 the values array must be empty. This array is replaced during a strategic
816 merge patch.
817 items:
818 type: string
819 type: array
820 required:
821 - key
822 - operator
823 type: object
824 type: array
825 matchLabels:
826 additionalProperties:
827 type: string
828 description: |-
829 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
830 map is equivalent to an element of matchExpressions, whose key field is "key", the
831 operator is "In", and the values array contains only "value". The requirements are ANDed.
832 type: object
833 type: object
834 x-kubernetes-map-type: atomic
835 type: array
836 namespaces:
837 description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.
838 items:
839 type: string
840 type: array
841 refreshTime:
842 description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
843 type: string
844 required:
845 - externalSecretSpec
846 type: object
847 status:
848 description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
849 properties:
850 conditions:
851 items:
852 properties:
853 message:
854 type: string
855 status:
856 type: string
857 type:
858 type: string
859 required:
860 - status
861 - type
862 type: object
863 type: array
864 externalSecretName:
865 description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
866 type: string
867 failedNamespaces:
868 description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
869 items:
870 description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
871 properties:
872 namespace:
873 description: Namespace is the namespace that failed when trying to apply an ExternalSecret
874 type: string
875 reason:
876 description: Reason is why the ExternalSecret failed to apply to the namespace
877 type: string
878 required:
879 - namespace
880 type: object
881 type: array
882 provisionedNamespaces:
883 description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
884 items:
885 type: string
886 type: array
887 type: object
888 type: object
889 served: true
890 storage: true
891 subresources:
892 status: {}
893 conversion:
894 strategy: Webhook
895 webhook:
896 conversionReviewVersions:
897 - v1
898 clientConfig:
899 service:
900 name: external-secrets-webhook
901 namespace: "default"
902 path: /convert
903---
904# Source: external-secrets/templates/crds/clustersecretstore.yaml
905apiVersion: apiextensions.k8s.io/v1
906kind: CustomResourceDefinition
907metadata:
908 annotations:
909 controller-gen.kubebuilder.io/version: v0.14.0
910 name: clustersecretstores.external-secrets.io
911spec:
912 group: external-secrets.io
913 names:
914 categories:
915 - externalsecrets
916 kind: ClusterSecretStore
917 listKind: ClusterSecretStoreList
918 plural: clustersecretstores
919 shortNames:
920 - css
921 singular: clustersecretstore
922 scope: Cluster
923 versions:
924 - additionalPrinterColumns:
925 - jsonPath: .metadata.creationTimestamp
926 name: AGE
927 type: date
928 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
929 name: Status
930 type: string
931 deprecated: true
932 name: v1alpha1
933 schema:
934 openAPIV3Schema:
935 description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
936 properties:
937 apiVersion:
938 description: |-
939 APIVersion defines the versioned schema of this representation of an object.
940 Servers should convert recognized schemas to the latest internal value, and
941 may reject unrecognized values.
942 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
943 type: string
944 kind:
945 description: |-
946 Kind is a string value representing the REST resource this object represents.
947 Servers may infer this from the endpoint the client submits requests to.
948 Cannot be updated.
949 In CamelCase.
950 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
951 type: string
952 metadata:
953 type: object
954 spec:
955 description: SecretStoreSpec defines the desired state of SecretStore.
956 properties:
957 controller:
958 description: |-
959 Used to select the correct ESO controller (think: ingress.ingressClassName)
960 The ESO controller is instantiated with a specific controller name and filters ES based on this property
961 type: string
962 provider:
963 description: Used to configure the provider. Only one provider may be set
964 maxProperties: 1
965 minProperties: 1
966 properties:
967 akeyless:
968 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
969 properties:
970 akeylessGWApiURL:
971 description: Akeyless GW API Url from which the secrets to be fetched from.
972 type: string
973 authSecretRef:
974 description: Auth configures how the operator authenticates with Akeyless.
975 properties:
976 kubernetesAuth:
977 description: |-
978 Kubernetes authenticates with Akeyless by passing the ServiceAccount
979 token stored in the named Secret resource.
980 properties:
981 accessID:
982 description: the Akeyless Kubernetes auth-method access-id
983 type: string
984 k8sConfName:
985 description: Kubernetes-auth configuration name in Akeyless-Gateway
986 type: string
987 secretRef:
988 description: |-
989 Optional secret field containing a Kubernetes ServiceAccount JWT used
990 for authenticating with Akeyless. If a name is specified without a key,
991 `token` is the default. If one is not specified, the one bound to
992 the controller will be used.
993 properties:
994 key:
995 description: |-
996 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
997 defaulted, in others it may be required.
998 type: string
999 name:
1000 description: The name of the Secret resource being referred to.
1001 type: string
1002 namespace:
1003 description: |-
1004 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1005 to the namespace of the referent.
1006 type: string
1007 type: object
1008 serviceAccountRef:
1009 description: |-
1010 Optional service account field containing the name of a kubernetes ServiceAccount.
1011 If the service account is specified, the service account secret token JWT will be used
1012 for authenticating with Akeyless. If the service account selector is not supplied,
1013 the secretRef will be used instead.
1014 properties:
1015 audiences:
1016 description: |-
1017 Audience specifies the `aud` claim for the service account token
1018 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1019 then this audiences will be appended to the list
1020 items:
1021 type: string
1022 type: array
1023 name:
1024 description: The name of the ServiceAccount resource being referred to.
1025 type: string
1026 namespace:
1027 description: |-
1028 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1029 to the namespace of the referent.
1030 type: string
1031 required:
1032 - name
1033 type: object
1034 required:
1035 - accessID
1036 - k8sConfName
1037 type: object
1038 secretRef:
1039 description: |-
1040 Reference to a Secret that contains the details
1041 to authenticate with Akeyless.
1042 properties:
1043 accessID:
1044 description: The SecretAccessID is used for authentication
1045 properties:
1046 key:
1047 description: |-
1048 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1049 defaulted, in others it may be required.
1050 type: string
1051 name:
1052 description: The name of the Secret resource being referred to.
1053 type: string
1054 namespace:
1055 description: |-
1056 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1057 to the namespace of the referent.
1058 type: string
1059 type: object
1060 accessType:
1061 description: |-
1062 A reference to a specific 'key' within a Secret resource,
1063 In some instances, `key` is a required field.
1064 properties:
1065 key:
1066 description: |-
1067 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1068 defaulted, in others it may be required.
1069 type: string
1070 name:
1071 description: The name of the Secret resource being referred to.
1072 type: string
1073 namespace:
1074 description: |-
1075 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1076 to the namespace of the referent.
1077 type: string
1078 type: object
1079 accessTypeParam:
1080 description: |-
1081 A reference to a specific 'key' within a Secret resource,
1082 In some instances, `key` is a required field.
1083 properties:
1084 key:
1085 description: |-
1086 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1087 defaulted, in others it may be required.
1088 type: string
1089 name:
1090 description: The name of the Secret resource being referred to.
1091 type: string
1092 namespace:
1093 description: |-
1094 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1095 to the namespace of the referent.
1096 type: string
1097 type: object
1098 type: object
1099 type: object
1100 caBundle:
1101 description: |-
1102 PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
1103 if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
1104 are used to validate the TLS connection.
1105 format: byte
1106 type: string
1107 caProvider:
1108 description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
1109 properties:
1110 key:
1111 description: The key the value inside of the provider type to use, only used with "Secret" type
1112 type: string
1113 name:
1114 description: The name of the object located at the provider type.
1115 type: string
1116 namespace:
1117 description: The namespace the Provider type is in.
1118 type: string
1119 type:
1120 description: The type of provider to use such as "Secret", or "ConfigMap".
1121 enum:
1122 - Secret
1123 - ConfigMap
1124 type: string
1125 required:
1126 - name
1127 - type
1128 type: object
1129 required:
1130 - akeylessGWApiURL
1131 - authSecretRef
1132 type: object
1133 alibaba:
1134 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
1135 properties:
1136 auth:
1137 description: AlibabaAuth contains a secretRef for credentials.
1138 properties:
1139 rrsa:
1140 description: Authenticate against Alibaba using RRSA.
1141 properties:
1142 oidcProviderArn:
1143 type: string
1144 oidcTokenFilePath:
1145 type: string
1146 roleArn:
1147 type: string
1148 sessionName:
1149 type: string
1150 required:
1151 - oidcProviderArn
1152 - oidcTokenFilePath
1153 - roleArn
1154 - sessionName
1155 type: object
1156 secretRef:
1157 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
1158 properties:
1159 accessKeyIDSecretRef:
1160 description: The AccessKeyID is used for authentication
1161 properties:
1162 key:
1163 description: |-
1164 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1165 defaulted, in others it may be required.
1166 type: string
1167 name:
1168 description: The name of the Secret resource being referred to.
1169 type: string
1170 namespace:
1171 description: |-
1172 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1173 to the namespace of the referent.
1174 type: string
1175 type: object
1176 accessKeySecretSecretRef:
1177 description: The AccessKeySecret is used for authentication
1178 properties:
1179 key:
1180 description: |-
1181 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1182 defaulted, in others it may be required.
1183 type: string
1184 name:
1185 description: The name of the Secret resource being referred to.
1186 type: string
1187 namespace:
1188 description: |-
1189 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1190 to the namespace of the referent.
1191 type: string
1192 type: object
1193 required:
1194 - accessKeyIDSecretRef
1195 - accessKeySecretSecretRef
1196 type: object
1197 type: object
1198 regionID:
1199 description: Alibaba Region to be used for the provider
1200 type: string
1201 required:
1202 - auth
1203 - regionID
1204 type: object
1205 aws:
1206 description: AWS configures this store to sync secrets using AWS Secret Manager provider
1207 properties:
1208 auth:
1209 description: |-
1210 Auth defines the information necessary to authenticate against AWS
1211 if not set aws sdk will infer credentials from your environment
1212 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1213 properties:
1214 jwt:
1215 description: Authenticate against AWS using service account tokens.
1216 properties:
1217 serviceAccountRef:
1218 description: A reference to a ServiceAccount resource.
1219 properties:
1220 audiences:
1221 description: |-
1222 Audience specifies the `aud` claim for the service account token
1223 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1224 then this audiences will be appended to the list
1225 items:
1226 type: string
1227 type: array
1228 name:
1229 description: The name of the ServiceAccount resource being referred to.
1230 type: string
1231 namespace:
1232 description: |-
1233 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1234 to the namespace of the referent.
1235 type: string
1236 required:
1237 - name
1238 type: object
1239 type: object
1240 secretRef:
1241 description: |-
1242 AWSAuthSecretRef holds secret references for AWS credentials
1243 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
1244 properties:
1245 accessKeyIDSecretRef:
1246 description: The AccessKeyID is used for authentication
1247 properties:
1248 key:
1249 description: |-
1250 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1251 defaulted, in others it may be required.
1252 type: string
1253 name:
1254 description: The name of the Secret resource being referred to.
1255 type: string
1256 namespace:
1257 description: |-
1258 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1259 to the namespace of the referent.
1260 type: string
1261 type: object
1262 secretAccessKeySecretRef:
1263 description: The SecretAccessKey is used for authentication
1264 properties:
1265 key:
1266 description: |-
1267 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1268 defaulted, in others it may be required.
1269 type: string
1270 name:
1271 description: The name of the Secret resource being referred to.
1272 type: string
1273 namespace:
1274 description: |-
1275 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1276 to the namespace of the referent.
1277 type: string
1278 type: object
1279 type: object
1280 type: object
1281 region:
1282 description: AWS Region to be used for the provider
1283 type: string
1284 role:
1285 description: Role is a Role ARN which the SecretManager provider will assume
1286 type: string
1287 service:
1288 description: Service defines which service should be used to fetch the secrets
1289 enum:
1290 - SecretsManager
1291 - ParameterStore
1292 type: string
1293 required:
1294 - region
1295 - service
1296 type: object
1297 azurekv:
1298 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
1299 properties:
1300 authSecretRef:
1301 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
1302 properties:
1303 clientId:
1304 description: The Azure clientId of the service principle used for authentication.
1305 properties:
1306 key:
1307 description: |-
1308 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1309 defaulted, in others it may be required.
1310 type: string
1311 name:
1312 description: The name of the Secret resource being referred to.
1313 type: string
1314 namespace:
1315 description: |-
1316 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1317 to the namespace of the referent.
1318 type: string
1319 type: object
1320 clientSecret:
1321 description: The Azure ClientSecret of the service principle used for authentication.
1322 properties:
1323 key:
1324 description: |-
1325 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1326 defaulted, in others it may be required.
1327 type: string
1328 name:
1329 description: The name of the Secret resource being referred to.
1330 type: string
1331 namespace:
1332 description: |-
1333 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1334 to the namespace of the referent.
1335 type: string
1336 type: object
1337 type: object
1338 authType:
1339 default: ServicePrincipal
1340 description: |-
1341 Auth type defines how to authenticate to the keyvault service.
1342 Valid values are:
1343 - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
1344 - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
1345 enum:
1346 - ServicePrincipal
1347 - ManagedIdentity
1348 - WorkloadIdentity
1349 type: string
1350 identityId:
1351 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
1352 type: string
1353 serviceAccountRef:
1354 description: |-
1355 ServiceAccountRef specified the service account
1356 that should be used when authenticating with WorkloadIdentity.
1357 properties:
1358 audiences:
1359 description: |-
1360 Audience specifies the `aud` claim for the service account token
1361 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1362 then this audiences will be appended to the list
1363 items:
1364 type: string
1365 type: array
1366 name:
1367 description: The name of the ServiceAccount resource being referred to.
1368 type: string
1369 namespace:
1370 description: |-
1371 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1372 to the namespace of the referent.
1373 type: string
1374 required:
1375 - name
1376 type: object
1377 tenantId:
1378 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
1379 type: string
1380 vaultUrl:
1381 description: Vault Url from which the secrets to be fetched from.
1382 type: string
1383 required:
1384 - vaultUrl
1385 type: object
1386 fake:
1387 description: Fake configures a store with static key/value pairs
1388 properties:
1389 data:
1390 items:
1391 properties:
1392 key:
1393 type: string
1394 value:
1395 type: string
1396 valueMap:
1397 additionalProperties:
1398 type: string
1399 type: object
1400 version:
1401 type: string
1402 required:
1403 - key
1404 type: object
1405 type: array
1406 required:
1407 - data
1408 type: object
1409 gcpsm:
1410 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
1411 properties:
1412 auth:
1413 description: Auth defines the information necessary to authenticate against GCP
1414 properties:
1415 secretRef:
1416 properties:
1417 secretAccessKeySecretRef:
1418 description: The SecretAccessKey is used for authentication
1419 properties:
1420 key:
1421 description: |-
1422 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1423 defaulted, in others it may be required.
1424 type: string
1425 name:
1426 description: The name of the Secret resource being referred to.
1427 type: string
1428 namespace:
1429 description: |-
1430 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1431 to the namespace of the referent.
1432 type: string
1433 type: object
1434 type: object
1435 workloadIdentity:
1436 properties:
1437 clusterLocation:
1438 type: string
1439 clusterName:
1440 type: string
1441 clusterProjectID:
1442 type: string
1443 serviceAccountRef:
1444 description: A reference to a ServiceAccount resource.
1445 properties:
1446 audiences:
1447 description: |-
1448 Audience specifies the `aud` claim for the service account token
1449 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1450 then this audiences will be appended to the list
1451 items:
1452 type: string
1453 type: array
1454 name:
1455 description: The name of the ServiceAccount resource being referred to.
1456 type: string
1457 namespace:
1458 description: |-
1459 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1460 to the namespace of the referent.
1461 type: string
1462 required:
1463 - name
1464 type: object
1465 required:
1466 - clusterLocation
1467 - clusterName
1468 - serviceAccountRef
1469 type: object
1470 type: object
1471 projectID:
1472 description: ProjectID project where secret is located
1473 type: string
1474 type: object
1475 gitlab:
1476 description: GitLab configures this store to sync secrets using GitLab Variables provider
1477 properties:
1478 auth:
1479 description: Auth configures how secret-manager authenticates with a GitLab instance.
1480 properties:
1481 SecretRef:
1482 properties:
1483 accessToken:
1484 description: AccessToken is used for authentication.
1485 properties:
1486 key:
1487 description: |-
1488 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1489 defaulted, in others it may be required.
1490 type: string
1491 name:
1492 description: The name of the Secret resource being referred to.
1493 type: string
1494 namespace:
1495 description: |-
1496 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1497 to the namespace of the referent.
1498 type: string
1499 type: object
1500 type: object
1501 required:
1502 - SecretRef
1503 type: object
1504 projectID:
1505 description: ProjectID specifies a project where secrets are located.
1506 type: string
1507 url:
1508 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
1509 type: string
1510 required:
1511 - auth
1512 type: object
1513 ibm:
1514 description: IBM configures this store to sync secrets using IBM Cloud provider
1515 properties:
1516 auth:
1517 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
1518 properties:
1519 secretRef:
1520 properties:
1521 secretApiKeySecretRef:
1522 description: The SecretAccessKey is used for authentication
1523 properties:
1524 key:
1525 description: |-
1526 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1527 defaulted, in others it may be required.
1528 type: string
1529 name:
1530 description: The name of the Secret resource being referred to.
1531 type: string
1532 namespace:
1533 description: |-
1534 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1535 to the namespace of the referent.
1536 type: string
1537 type: object
1538 type: object
1539 required:
1540 - secretRef
1541 type: object
1542 serviceUrl:
1543 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
1544 type: string
1545 required:
1546 - auth
1547 type: object
1548 kubernetes:
1549 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
1550 properties:
1551 auth:
1552 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
1553 maxProperties: 1
1554 minProperties: 1
1555 properties:
1556 cert:
1557 description: has both clientCert and clientKey as secretKeySelector
1558 properties:
1559 clientCert:
1560 description: |-
1561 A reference to a specific 'key' within a Secret resource,
1562 In some instances, `key` is a required field.
1563 properties:
1564 key:
1565 description: |-
1566 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1567 defaulted, in others it may be required.
1568 type: string
1569 name:
1570 description: The name of the Secret resource being referred to.
1571 type: string
1572 namespace:
1573 description: |-
1574 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1575 to the namespace of the referent.
1576 type: string
1577 type: object
1578 clientKey:
1579 description: |-
1580 A reference to a specific 'key' within a Secret resource,
1581 In some instances, `key` is a required field.
1582 properties:
1583 key:
1584 description: |-
1585 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1586 defaulted, in others it may be required.
1587 type: string
1588 name:
1589 description: The name of the Secret resource being referred to.
1590 type: string
1591 namespace:
1592 description: |-
1593 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1594 to the namespace of the referent.
1595 type: string
1596 type: object
1597 type: object
1598 serviceAccount:
1599 description: points to a service account that should be used for authentication
1600 properties:
1601 serviceAccount:
1602 description: A reference to a ServiceAccount resource.
1603 properties:
1604 audiences:
1605 description: |-
1606 Audience specifies the `aud` claim for the service account token
1607 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1608 then this audiences will be appended to the list
1609 items:
1610 type: string
1611 type: array
1612 name:
1613 description: The name of the ServiceAccount resource being referred to.
1614 type: string
1615 namespace:
1616 description: |-
1617 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1618 to the namespace of the referent.
1619 type: string
1620 required:
1621 - name
1622 type: object
1623 type: object
1624 token:
1625 description: use static token to authenticate with
1626 properties:
1627 bearerToken:
1628 description: |-
1629 A reference to a specific 'key' within a Secret resource,
1630 In some instances, `key` is a required field.
1631 properties:
1632 key:
1633 description: |-
1634 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1635 defaulted, in others it may be required.
1636 type: string
1637 name:
1638 description: The name of the Secret resource being referred to.
1639 type: string
1640 namespace:
1641 description: |-
1642 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1643 to the namespace of the referent.
1644 type: string
1645 type: object
1646 type: object
1647 type: object
1648 remoteNamespace:
1649 default: default
1650 description: Remote namespace to fetch the secrets from
1651 type: string
1652 server:
1653 description: configures the Kubernetes server Address.
1654 properties:
1655 caBundle:
1656 description: CABundle is a base64-encoded CA certificate
1657 format: byte
1658 type: string
1659 caProvider:
1660 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
1661 properties:
1662 key:
1663 description: The key the value inside of the provider type to use, only used with "Secret" type
1664 type: string
1665 name:
1666 description: The name of the object located at the provider type.
1667 type: string
1668 namespace:
1669 description: The namespace the Provider type is in.
1670 type: string
1671 type:
1672 description: The type of provider to use such as "Secret", or "ConfigMap".
1673 enum:
1674 - Secret
1675 - ConfigMap
1676 type: string
1677 required:
1678 - name
1679 - type
1680 type: object
1681 url:
1682 default: kubernetes.default
1683 description: configures the Kubernetes server Address.
1684 type: string
1685 type: object
1686 required:
1687 - auth
1688 type: object
1689 oracle:
1690 description: Oracle configures this store to sync secrets using Oracle Vault provider
1691 properties:
1692 auth:
1693 description: |-
1694 Auth configures how secret-manager authenticates with the Oracle Vault.
1695 If empty, instance principal is used. Optionally, the authenticating principal type
1696 and/or user data may be supplied for the use of workload identity and user principal.
1697 properties:
1698 secretRef:
1699 description: SecretRef to pass through sensitive information.
1700 properties:
1701 fingerprint:
1702 description: Fingerprint is the fingerprint of the API private key.
1703 properties:
1704 key:
1705 description: |-
1706 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1707 defaulted, in others it may be required.
1708 type: string
1709 name:
1710 description: The name of the Secret resource being referred to.
1711 type: string
1712 namespace:
1713 description: |-
1714 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1715 to the namespace of the referent.
1716 type: string
1717 type: object
1718 privatekey:
1719 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
1720 properties:
1721 key:
1722 description: |-
1723 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1724 defaulted, in others it may be required.
1725 type: string
1726 name:
1727 description: The name of the Secret resource being referred to.
1728 type: string
1729 namespace:
1730 description: |-
1731 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1732 to the namespace of the referent.
1733 type: string
1734 type: object
1735 required:
1736 - fingerprint
1737 - privatekey
1738 type: object
1739 tenancy:
1740 description: Tenancy is the tenancy OCID where user is located.
1741 type: string
1742 user:
1743 description: User is an access OCID specific to the account.
1744 type: string
1745 required:
1746 - secretRef
1747 - tenancy
1748 - user
1749 type: object
1750 compartment:
1751 description: |-
1752 Compartment is the vault compartment OCID.
1753 Required for PushSecret
1754 type: string
1755 encryptionKey:
1756 description: |-
1757 EncryptionKey is the OCID of the encryption key within the vault.
1758 Required for PushSecret
1759 type: string
1760 principalType:
1761 description: |-
1762 The type of principal to use for authentication. If left blank, the Auth struct will
1763 determine the principal type. This optional field must be specified if using
1764 workload identity.
1765 enum:
1766 - ""
1767 - UserPrincipal
1768 - InstancePrincipal
1769 - Workload
1770 type: string
1771 region:
1772 description: Region is the region where vault is located.
1773 type: string
1774 serviceAccountRef:
1775 description: |-
1776 ServiceAccountRef specified the service account
1777 that should be used when authenticating with WorkloadIdentity.
1778 properties:
1779 audiences:
1780 description: |-
1781 Audience specifies the `aud` claim for the service account token
1782 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1783 then this audiences will be appended to the list
1784 items:
1785 type: string
1786 type: array
1787 name:
1788 description: The name of the ServiceAccount resource being referred to.
1789 type: string
1790 namespace:
1791 description: |-
1792 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1793 to the namespace of the referent.
1794 type: string
1795 required:
1796 - name
1797 type: object
1798 vault:
1799 description: Vault is the vault's OCID of the specific vault where secret is located.
1800 type: string
1801 required:
1802 - region
1803 - vault
1804 type: object
1805 passworddepot:
1806 description: Configures a store to sync secrets with a Password Depot instance.
1807 properties:
1808 auth:
1809 description: Auth configures how secret-manager authenticates with a Password Depot instance.
1810 properties:
1811 secretRef:
1812 properties:
1813 credentials:
1814 description: Username / Password is used for authentication.
1815 properties:
1816 key:
1817 description: |-
1818 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1819 defaulted, in others it may be required.
1820 type: string
1821 name:
1822 description: The name of the Secret resource being referred to.
1823 type: string
1824 namespace:
1825 description: |-
1826 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1827 to the namespace of the referent.
1828 type: string
1829 type: object
1830 type: object
1831 required:
1832 - secretRef
1833 type: object
1834 database:
1835 description: Database to use as source
1836 type: string
1837 host:
1838 description: URL configures the Password Depot instance URL.
1839 type: string
1840 required:
1841 - auth
1842 - database
1843 - host
1844 type: object
1845 vault:
1846 description: Vault configures this store to sync secrets using Hashi provider
1847 properties:
1848 auth:
1849 description: Auth configures how secret-manager authenticates with the Vault server.
1850 properties:
1851 appRole:
1852 description: |-
1853 AppRole authenticates with Vault using the App Role auth mechanism,
1854 with the role and secret stored in a Kubernetes Secret resource.
1855 properties:
1856 path:
1857 default: approle
1858 description: |-
1859 Path where the App Role authentication backend is mounted
1860 in Vault, e.g: "approle"
1861 type: string
1862 roleId:
1863 description: |-
1864 RoleID configured in the App Role authentication backend when setting
1865 up the authentication backend in Vault.
1866 type: string
1867 secretRef:
1868 description: |-
1869 Reference to a key in a Secret that contains the App Role secret used
1870 to authenticate with Vault.
1871 The `key` field must be specified and denotes which entry within the Secret
1872 resource is used as the app role secret.
1873 properties:
1874 key:
1875 description: |-
1876 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1877 defaulted, in others it may be required.
1878 type: string
1879 name:
1880 description: The name of the Secret resource being referred to.
1881 type: string
1882 namespace:
1883 description: |-
1884 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1885 to the namespace of the referent.
1886 type: string
1887 type: object
1888 required:
1889 - path
1890 - roleId
1891 - secretRef
1892 type: object
1893 cert:
1894 description: |-
1895 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
1896 Cert authentication method
1897 properties:
1898 clientCert:
1899 description: |-
1900 ClientCert is a certificate to authenticate using the Cert Vault
1901 authentication method
1902 properties:
1903 key:
1904 description: |-
1905 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1906 defaulted, in others it may be required.
1907 type: string
1908 name:
1909 description: The name of the Secret resource being referred to.
1910 type: string
1911 namespace:
1912 description: |-
1913 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1914 to the namespace of the referent.
1915 type: string
1916 type: object
1917 secretRef:
1918 description: |-
1919 SecretRef to a key in a Secret resource containing client private key to
1920 authenticate with Vault using the Cert authentication method
1921 properties:
1922 key:
1923 description: |-
1924 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
1925 defaulted, in others it may be required.
1926 type: string
1927 name:
1928 description: The name of the Secret resource being referred to.
1929 type: string
1930 namespace:
1931 description: |-
1932 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1933 to the namespace of the referent.
1934 type: string
1935 type: object
1936 type: object
1937 jwt:
1938 description: |-
1939 Jwt authenticates with Vault by passing role and JWT token using the
1940 JWT/OIDC authentication method
1941 properties:
1942 kubernetesServiceAccountToken:
1943 description: |-
1944 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
1945 a token for with the `TokenRequest` API.
1946 properties:
1947 audiences:
1948 description: |-
1949 Optional audiences field that will be used to request a temporary Kubernetes service
1950 account token for the service account referenced by `serviceAccountRef`.
1951 Defaults to a single audience `vault` it not specified.
1952 items:
1953 type: string
1954 type: array
1955 expirationSeconds:
1956 description: |-
1957 Optional expiration time in seconds that will be used to request a temporary
1958 Kubernetes service account token for the service account referenced by
1959 `serviceAccountRef`.
1960 Defaults to 10 minutes.
1961 format: int64
1962 type: integer
1963 serviceAccountRef:
1964 description: Service account field containing the name of a kubernetes ServiceAccount.
1965 properties:
1966 audiences:
1967 description: |-
1968 Audience specifies the `aud` claim for the service account token
1969 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
1970 then this audiences will be appended to the list
1971 items:
1972 type: string
1973 type: array
1974 name:
1975 description: The name of the ServiceAccount resource being referred to.
1976 type: string
1977 namespace:
1978 description: |-
1979 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
1980 to the namespace of the referent.
1981 type: string
1982 required:
1983 - name
1984 type: object
1985 required:
1986 - serviceAccountRef
1987 type: object
1988 path:
1989 default: jwt
1990 description: |-
1991 Path where the JWT authentication backend is mounted
1992 in Vault, e.g: "jwt"
1993 type: string
1994 role:
1995 description: |-
1996 Role is a JWT role to authenticate using the JWT/OIDC Vault
1997 authentication method
1998 type: string
1999 secretRef:
2000 description: |-
2001 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
2002 authenticate with Vault using the JWT/OIDC authentication method.
2003 properties:
2004 key:
2005 description: |-
2006 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2007 defaulted, in others it may be required.
2008 type: string
2009 name:
2010 description: The name of the Secret resource being referred to.
2011 type: string
2012 namespace:
2013 description: |-
2014 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2015 to the namespace of the referent.
2016 type: string
2017 type: object
2018 required:
2019 - path
2020 type: object
2021 kubernetes:
2022 description: |-
2023 Kubernetes authenticates with Vault by passing the ServiceAccount
2024 token stored in the named Secret resource to the Vault server.
2025 properties:
2026 mountPath:
2027 default: kubernetes
2028 description: |-
2029 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
2030 "kubernetes"
2031 type: string
2032 role:
2033 description: |-
2034 A required field containing the Vault Role to assume. A Role binds a
2035 Kubernetes ServiceAccount with a set of Vault policies.
2036 type: string
2037 secretRef:
2038 description: |-
2039 Optional secret field containing a Kubernetes ServiceAccount JWT used
2040 for authenticating with Vault. If a name is specified without a key,
2041 `token` is the default. If one is not specified, the one bound to
2042 the controller will be used.
2043 properties:
2044 key:
2045 description: |-
2046 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2047 defaulted, in others it may be required.
2048 type: string
2049 name:
2050 description: The name of the Secret resource being referred to.
2051 type: string
2052 namespace:
2053 description: |-
2054 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2055 to the namespace of the referent.
2056 type: string
2057 type: object
2058 serviceAccountRef:
2059 description: |-
2060 Optional service account field containing the name of a kubernetes ServiceAccount.
2061 If the service account is specified, the service account secret token JWT will be used
2062 for authenticating with Vault. If the service account selector is not supplied,
2063 the secretRef will be used instead.
2064 properties:
2065 audiences:
2066 description: |-
2067 Audience specifies the `aud` claim for the service account token
2068 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2069 then this audiences will be appended to the list
2070 items:
2071 type: string
2072 type: array
2073 name:
2074 description: The name of the ServiceAccount resource being referred to.
2075 type: string
2076 namespace:
2077 description: |-
2078 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2079 to the namespace of the referent.
2080 type: string
2081 required:
2082 - name
2083 type: object
2084 required:
2085 - mountPath
2086 - role
2087 type: object
2088 ldap:
2089 description: |-
2090 Ldap authenticates with Vault by passing username/password pair using
2091 the LDAP authentication method
2092 properties:
2093 path:
2094 default: ldap
2095 description: |-
2096 Path where the LDAP authentication backend is mounted
2097 in Vault, e.g: "ldap"
2098 type: string
2099 secretRef:
2100 description: |-
2101 SecretRef to a key in a Secret resource containing password for the LDAP
2102 user used to authenticate with Vault using the LDAP authentication
2103 method
2104 properties:
2105 key:
2106 description: |-
2107 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2108 defaulted, in others it may be required.
2109 type: string
2110 name:
2111 description: The name of the Secret resource being referred to.
2112 type: string
2113 namespace:
2114 description: |-
2115 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2116 to the namespace of the referent.
2117 type: string
2118 type: object
2119 username:
2120 description: |-
2121 Username is a LDAP user name used to authenticate using the LDAP Vault
2122 authentication method
2123 type: string
2124 required:
2125 - path
2126 - username
2127 type: object
2128 tokenSecretRef:
2129 description: TokenSecretRef authenticates with Vault by presenting a token.
2130 properties:
2131 key:
2132 description: |-
2133 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2134 defaulted, in others it may be required.
2135 type: string
2136 name:
2137 description: The name of the Secret resource being referred to.
2138 type: string
2139 namespace:
2140 description: |-
2141 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2142 to the namespace of the referent.
2143 type: string
2144 type: object
2145 type: object
2146 caBundle:
2147 description: |-
2148 PEM encoded CA bundle used to validate Vault server certificate. Only used
2149 if the Server URL is using HTTPS protocol. This parameter is ignored for
2150 plain HTTP protocol connection. If not set the system root certificates
2151 are used to validate the TLS connection.
2152 format: byte
2153 type: string
2154 caProvider:
2155 description: The provider for the CA bundle to use to validate Vault server certificate.
2156 properties:
2157 key:
2158 description: The key the value inside of the provider type to use, only used with "Secret" type
2159 type: string
2160 name:
2161 description: The name of the object located at the provider type.
2162 type: string
2163 namespace:
2164 description: The namespace the Provider type is in.
2165 type: string
2166 type:
2167 description: The type of provider to use such as "Secret", or "ConfigMap".
2168 enum:
2169 - Secret
2170 - ConfigMap
2171 type: string
2172 required:
2173 - name
2174 - type
2175 type: object
2176 forwardInconsistent:
2177 description: |-
2178 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
2179 leader instead of simply retrying within a loop. This can increase performance if
2180 the option is enabled serverside.
2181 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
2182 type: boolean
2183 namespace:
2184 description: |-
2185 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
2186 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
2187 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
2188 type: string
2189 path:
2190 description: |-
2191 Path is the mount path of the Vault KV backend endpoint, e.g:
2192 "secret". The v2 KV secret engine version specific "/data" path suffix
2193 for fetching secrets from Vault is optional and will be appended
2194 if not present in specified path.
2195 type: string
2196 readYourWrites:
2197 description: |-
2198 ReadYourWrites ensures isolated read-after-write semantics by
2199 providing discovered cluster replication states in each request.
2200 More information about eventual consistency in Vault can be found here
2201 https://www.vaultproject.io/docs/enterprise/consistency
2202 type: boolean
2203 server:
2204 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
2205 type: string
2206 version:
2207 default: v2
2208 description: |-
2209 Version is the Vault KV secret engine version. This can be either "v1" or
2210 "v2". Version defaults to "v2".
2211 enum:
2212 - v1
2213 - v2
2214 type: string
2215 required:
2216 - auth
2217 - server
2218 type: object
2219 webhook:
2220 description: Webhook configures this store to sync secrets using a generic templated webhook
2221 properties:
2222 body:
2223 description: Body
2224 type: string
2225 caBundle:
2226 description: |-
2227 PEM encoded CA bundle used to validate webhook server certificate. Only used
2228 if the Server URL is using HTTPS protocol. This parameter is ignored for
2229 plain HTTP protocol connection. If not set the system root certificates
2230 are used to validate the TLS connection.
2231 format: byte
2232 type: string
2233 caProvider:
2234 description: The provider for the CA bundle to use to validate webhook server certificate.
2235 properties:
2236 key:
2237 description: The key the value inside of the provider type to use, only used with "Secret" type
2238 type: string
2239 name:
2240 description: The name of the object located at the provider type.
2241 type: string
2242 namespace:
2243 description: The namespace the Provider type is in.
2244 type: string
2245 type:
2246 description: The type of provider to use such as "Secret", or "ConfigMap".
2247 enum:
2248 - Secret
2249 - ConfigMap
2250 type: string
2251 required:
2252 - name
2253 - type
2254 type: object
2255 headers:
2256 additionalProperties:
2257 type: string
2258 description: Headers
2259 type: object
2260 method:
2261 description: Webhook Method
2262 type: string
2263 result:
2264 description: Result formatting
2265 properties:
2266 jsonPath:
2267 description: Json path of return value
2268 type: string
2269 type: object
2270 secrets:
2271 description: |-
2272 Secrets to fill in templates
2273 These secrets will be passed to the templating function as key value pairs under the given name
2274 items:
2275 properties:
2276 name:
2277 description: Name of this secret in templates
2278 type: string
2279 secretRef:
2280 description: Secret ref to fill in credentials
2281 properties:
2282 key:
2283 description: |-
2284 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2285 defaulted, in others it may be required.
2286 type: string
2287 name:
2288 description: The name of the Secret resource being referred to.
2289 type: string
2290 namespace:
2291 description: |-
2292 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2293 to the namespace of the referent.
2294 type: string
2295 type: object
2296 required:
2297 - name
2298 - secretRef
2299 type: object
2300 type: array
2301 timeout:
2302 description: Timeout
2303 type: string
2304 url:
2305 description: Webhook url to call
2306 type: string
2307 required:
2308 - result
2309 - url
2310 type: object
2311 yandexlockbox:
2312 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
2313 properties:
2314 apiEndpoint:
2315 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
2316 type: string
2317 auth:
2318 description: Auth defines the information necessary to authenticate against Yandex Lockbox
2319 properties:
2320 authorizedKeySecretRef:
2321 description: The authorized key used for authentication
2322 properties:
2323 key:
2324 description: |-
2325 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2326 defaulted, in others it may be required.
2327 type: string
2328 name:
2329 description: The name of the Secret resource being referred to.
2330 type: string
2331 namespace:
2332 description: |-
2333 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2334 to the namespace of the referent.
2335 type: string
2336 type: object
2337 type: object
2338 caProvider:
2339 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
2340 properties:
2341 certSecretRef:
2342 description: |-
2343 A reference to a specific 'key' within a Secret resource,
2344 In some instances, `key` is a required field.
2345 properties:
2346 key:
2347 description: |-
2348 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2349 defaulted, in others it may be required.
2350 type: string
2351 name:
2352 description: The name of the Secret resource being referred to.
2353 type: string
2354 namespace:
2355 description: |-
2356 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2357 to the namespace of the referent.
2358 type: string
2359 type: object
2360 type: object
2361 required:
2362 - auth
2363 type: object
2364 type: object
2365 retrySettings:
2366 description: Used to configure http retries if failed
2367 properties:
2368 maxRetries:
2369 format: int32
2370 type: integer
2371 retryInterval:
2372 type: string
2373 type: object
2374 required:
2375 - provider
2376 type: object
2377 status:
2378 description: SecretStoreStatus defines the observed state of the SecretStore.
2379 properties:
2380 conditions:
2381 items:
2382 properties:
2383 lastTransitionTime:
2384 format: date-time
2385 type: string
2386 message:
2387 type: string
2388 reason:
2389 type: string
2390 status:
2391 type: string
2392 type:
2393 type: string
2394 required:
2395 - status
2396 - type
2397 type: object
2398 type: array
2399 type: object
2400 type: object
2401 served: true
2402 storage: false
2403 subresources:
2404 status: {}
2405 - additionalPrinterColumns:
2406 - jsonPath: .metadata.creationTimestamp
2407 name: AGE
2408 type: date
2409 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
2410 name: Status
2411 type: string
2412 - jsonPath: .status.capabilities
2413 name: Capabilities
2414 type: string
2415 - jsonPath: .status.conditions[?(@.type=="Ready")].status
2416 name: Ready
2417 type: string
2418 name: v1beta1
2419 schema:
2420 openAPIV3Schema:
2421 description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
2422 properties:
2423 apiVersion:
2424 description: |-
2425 APIVersion defines the versioned schema of this representation of an object.
2426 Servers should convert recognized schemas to the latest internal value, and
2427 may reject unrecognized values.
2428 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
2429 type: string
2430 kind:
2431 description: |-
2432 Kind is a string value representing the REST resource this object represents.
2433 Servers may infer this from the endpoint the client submits requests to.
2434 Cannot be updated.
2435 In CamelCase.
2436 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
2437 type: string
2438 metadata:
2439 type: object
2440 spec:
2441 description: SecretStoreSpec defines the desired state of SecretStore.
2442 properties:
2443 conditions:
2444 description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
2445 items:
2446 description: |-
2447 ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
2448 for a ClusterSecretStore instance.
2449 properties:
2450 namespaceSelector:
2451 description: Choose namespace using a labelSelector
2452 properties:
2453 matchExpressions:
2454 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2455 items:
2456 description: |-
2457 A label selector requirement is a selector that contains values, a key, and an operator that
2458 relates the key and values.
2459 properties:
2460 key:
2461 description: key is the label key that the selector applies to.
2462 type: string
2463 operator:
2464 description: |-
2465 operator represents a key's relationship to a set of values.
2466 Valid operators are In, NotIn, Exists and DoesNotExist.
2467 type: string
2468 values:
2469 description: |-
2470 values is an array of string values. If the operator is In or NotIn,
2471 the values array must be non-empty. If the operator is Exists or DoesNotExist,
2472 the values array must be empty. This array is replaced during a strategic
2473 merge patch.
2474 items:
2475 type: string
2476 type: array
2477 required:
2478 - key
2479 - operator
2480 type: object
2481 type: array
2482 matchLabels:
2483 additionalProperties:
2484 type: string
2485 description: |-
2486 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2487 map is equivalent to an element of matchExpressions, whose key field is "key", the
2488 operator is "In", and the values array contains only "value". The requirements are ANDed.
2489 type: object
2490 type: object
2491 x-kubernetes-map-type: atomic
2492 namespaces:
2493 description: Choose namespaces by name
2494 items:
2495 type: string
2496 type: array
2497 type: object
2498 type: array
2499 controller:
2500 description: |-
2501 Used to select the correct ESO controller (think: ingress.ingressClassName)
2502 The ESO controller is instantiated with a specific controller name and filters ES based on this property
2503 type: string
2504 provider:
2505 description: Used to configure the provider. Only one provider may be set
2506 maxProperties: 1
2507 minProperties: 1
2508 properties:
2509 akeyless:
2510 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
2511 properties:
2512 akeylessGWApiURL:
2513 description: Akeyless GW API Url from which the secrets to be fetched from.
2514 type: string
2515 authSecretRef:
2516 description: Auth configures how the operator authenticates with Akeyless.
2517 properties:
2518 kubernetesAuth:
2519 description: |-
2520 Kubernetes authenticates with Akeyless by passing the ServiceAccount
2521 token stored in the named Secret resource.
2522 properties:
2523 accessID:
2524 description: the Akeyless Kubernetes auth-method access-id
2525 type: string
2526 k8sConfName:
2527 description: Kubernetes-auth configuration name in Akeyless-Gateway
2528 type: string
2529 secretRef:
2530 description: |-
2531 Optional secret field containing a Kubernetes ServiceAccount JWT used
2532 for authenticating with Akeyless. If a name is specified without a key,
2533 `token` is the default. If one is not specified, the one bound to
2534 the controller will be used.
2535 properties:
2536 key:
2537 description: |-
2538 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2539 defaulted, in others it may be required.
2540 type: string
2541 name:
2542 description: The name of the Secret resource being referred to.
2543 type: string
2544 namespace:
2545 description: |-
2546 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2547 to the namespace of the referent.
2548 type: string
2549 type: object
2550 serviceAccountRef:
2551 description: |-
2552 Optional service account field containing the name of a kubernetes ServiceAccount.
2553 If the service account is specified, the service account secret token JWT will be used
2554 for authenticating with Akeyless. If the service account selector is not supplied,
2555 the secretRef will be used instead.
2556 properties:
2557 audiences:
2558 description: |-
2559 Audience specifies the `aud` claim for the service account token
2560 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2561 then this audiences will be appended to the list
2562 items:
2563 type: string
2564 type: array
2565 name:
2566 description: The name of the ServiceAccount resource being referred to.
2567 type: string
2568 namespace:
2569 description: |-
2570 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2571 to the namespace of the referent.
2572 type: string
2573 required:
2574 - name
2575 type: object
2576 required:
2577 - accessID
2578 - k8sConfName
2579 type: object
2580 secretRef:
2581 description: |-
2582 Reference to a Secret that contains the details
2583 to authenticate with Akeyless.
2584 properties:
2585 accessID:
2586 description: The SecretAccessID is used for authentication
2587 properties:
2588 key:
2589 description: |-
2590 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2591 defaulted, in others it may be required.
2592 type: string
2593 name:
2594 description: The name of the Secret resource being referred to.
2595 type: string
2596 namespace:
2597 description: |-
2598 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2599 to the namespace of the referent.
2600 type: string
2601 type: object
2602 accessType:
2603 description: |-
2604 A reference to a specific 'key' within a Secret resource,
2605 In some instances, `key` is a required field.
2606 properties:
2607 key:
2608 description: |-
2609 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2610 defaulted, in others it may be required.
2611 type: string
2612 name:
2613 description: The name of the Secret resource being referred to.
2614 type: string
2615 namespace:
2616 description: |-
2617 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2618 to the namespace of the referent.
2619 type: string
2620 type: object
2621 accessTypeParam:
2622 description: |-
2623 A reference to a specific 'key' within a Secret resource,
2624 In some instances, `key` is a required field.
2625 properties:
2626 key:
2627 description: |-
2628 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2629 defaulted, in others it may be required.
2630 type: string
2631 name:
2632 description: The name of the Secret resource being referred to.
2633 type: string
2634 namespace:
2635 description: |-
2636 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2637 to the namespace of the referent.
2638 type: string
2639 type: object
2640 type: object
2641 type: object
2642 caBundle:
2643 description: |-
2644 PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
2645 if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
2646 are used to validate the TLS connection.
2647 format: byte
2648 type: string
2649 caProvider:
2650 description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
2651 properties:
2652 key:
2653 description: The key where the CA certificate can be found in the Secret or ConfigMap.
2654 type: string
2655 name:
2656 description: The name of the object located at the provider type.
2657 type: string
2658 namespace:
2659 description: |-
2660 The namespace the Provider type is in.
2661 Can only be defined when used in a ClusterSecretStore.
2662 type: string
2663 type:
2664 description: The type of provider to use such as "Secret", or "ConfigMap".
2665 enum:
2666 - Secret
2667 - ConfigMap
2668 type: string
2669 required:
2670 - name
2671 - type
2672 type: object
2673 required:
2674 - akeylessGWApiURL
2675 - authSecretRef
2676 type: object
2677 alibaba:
2678 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
2679 properties:
2680 auth:
2681 description: AlibabaAuth contains a secretRef for credentials.
2682 properties:
2683 rrsa:
2684 description: Authenticate against Alibaba using RRSA.
2685 properties:
2686 oidcProviderArn:
2687 type: string
2688 oidcTokenFilePath:
2689 type: string
2690 roleArn:
2691 type: string
2692 sessionName:
2693 type: string
2694 required:
2695 - oidcProviderArn
2696 - oidcTokenFilePath
2697 - roleArn
2698 - sessionName
2699 type: object
2700 secretRef:
2701 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
2702 properties:
2703 accessKeyIDSecretRef:
2704 description: The AccessKeyID is used for authentication
2705 properties:
2706 key:
2707 description: |-
2708 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2709 defaulted, in others it may be required.
2710 type: string
2711 name:
2712 description: The name of the Secret resource being referred to.
2713 type: string
2714 namespace:
2715 description: |-
2716 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2717 to the namespace of the referent.
2718 type: string
2719 type: object
2720 accessKeySecretSecretRef:
2721 description: The AccessKeySecret is used for authentication
2722 properties:
2723 key:
2724 description: |-
2725 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2726 defaulted, in others it may be required.
2727 type: string
2728 name:
2729 description: The name of the Secret resource being referred to.
2730 type: string
2731 namespace:
2732 description: |-
2733 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2734 to the namespace of the referent.
2735 type: string
2736 type: object
2737 required:
2738 - accessKeyIDSecretRef
2739 - accessKeySecretSecretRef
2740 type: object
2741 type: object
2742 regionID:
2743 description: Alibaba Region to be used for the provider
2744 type: string
2745 required:
2746 - auth
2747 - regionID
2748 type: object
2749 aws:
2750 description: AWS configures this store to sync secrets using AWS Secret Manager provider
2751 properties:
2752 additionalRoles:
2753 description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
2754 items:
2755 type: string
2756 type: array
2757 auth:
2758 description: |-
2759 Auth defines the information necessary to authenticate against AWS
2760 if not set aws sdk will infer credentials from your environment
2761 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2762 properties:
2763 jwt:
2764 description: Authenticate against AWS using service account tokens.
2765 properties:
2766 serviceAccountRef:
2767 description: A reference to a ServiceAccount resource.
2768 properties:
2769 audiences:
2770 description: |-
2771 Audience specifies the `aud` claim for the service account token
2772 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
2773 then this audiences will be appended to the list
2774 items:
2775 type: string
2776 type: array
2777 name:
2778 description: The name of the ServiceAccount resource being referred to.
2779 type: string
2780 namespace:
2781 description: |-
2782 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2783 to the namespace of the referent.
2784 type: string
2785 required:
2786 - name
2787 type: object
2788 type: object
2789 secretRef:
2790 description: |-
2791 AWSAuthSecretRef holds secret references for AWS credentials
2792 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
2793 properties:
2794 accessKeyIDSecretRef:
2795 description: The AccessKeyID is used for authentication
2796 properties:
2797 key:
2798 description: |-
2799 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2800 defaulted, in others it may be required.
2801 type: string
2802 name:
2803 description: The name of the Secret resource being referred to.
2804 type: string
2805 namespace:
2806 description: |-
2807 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2808 to the namespace of the referent.
2809 type: string
2810 type: object
2811 secretAccessKeySecretRef:
2812 description: The SecretAccessKey is used for authentication
2813 properties:
2814 key:
2815 description: |-
2816 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2817 defaulted, in others it may be required.
2818 type: string
2819 name:
2820 description: The name of the Secret resource being referred to.
2821 type: string
2822 namespace:
2823 description: |-
2824 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2825 to the namespace of the referent.
2826 type: string
2827 type: object
2828 sessionTokenSecretRef:
2829 description: |-
2830 The SessionToken used for authentication
2831 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
2832 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
2833 properties:
2834 key:
2835 description: |-
2836 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2837 defaulted, in others it may be required.
2838 type: string
2839 name:
2840 description: The name of the Secret resource being referred to.
2841 type: string
2842 namespace:
2843 description: |-
2844 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2845 to the namespace of the referent.
2846 type: string
2847 type: object
2848 type: object
2849 type: object
2850 externalID:
2851 description: AWS External ID set on assumed IAM roles
2852 type: string
2853 region:
2854 description: AWS Region to be used for the provider
2855 type: string
2856 role:
2857 description: Role is a Role ARN which the provider will assume
2858 type: string
2859 secretsManager:
2860 description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
2861 properties:
2862 forceDeleteWithoutRecovery:
2863 description: |-
2864 Specifies whether to delete the secret without any recovery window. You
2865 can't use both this parameter and RecoveryWindowInDays in the same call.
2866 If you don't use either, then by default Secrets Manager uses a 30 day
2867 recovery window.
2868 see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
2869 type: boolean
2870 recoveryWindowInDays:
2871 description: |-
2872 The number of days from 7 to 30 that Secrets Manager waits before
2873 permanently deleting the secret. You can't use both this parameter and
2874 ForceDeleteWithoutRecovery in the same call. If you don't use either,
2875 then by default Secrets Manager uses a 30 day recovery window.
2876 see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
2877 format: int64
2878 type: integer
2879 type: object
2880 service:
2881 description: Service defines which service should be used to fetch the secrets
2882 enum:
2883 - SecretsManager
2884 - ParameterStore
2885 type: string
2886 sessionTags:
2887 description: AWS STS assume role session tags
2888 items:
2889 properties:
2890 key:
2891 type: string
2892 value:
2893 type: string
2894 required:
2895 - key
2896 - value
2897 type: object
2898 type: array
2899 transitiveTagKeys:
2900 description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
2901 items:
2902 type: string
2903 type: array
2904 required:
2905 - region
2906 - service
2907 type: object
2908 azurekv:
2909 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
2910 properties:
2911 authSecretRef:
2912 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
2913 properties:
2914 clientId:
2915 description: The Azure clientId of the service principle or managed identity used for authentication.
2916 properties:
2917 key:
2918 description: |-
2919 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2920 defaulted, in others it may be required.
2921 type: string
2922 name:
2923 description: The name of the Secret resource being referred to.
2924 type: string
2925 namespace:
2926 description: |-
2927 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2928 to the namespace of the referent.
2929 type: string
2930 type: object
2931 clientSecret:
2932 description: The Azure ClientSecret of the service principle used for authentication.
2933 properties:
2934 key:
2935 description: |-
2936 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2937 defaulted, in others it may be required.
2938 type: string
2939 name:
2940 description: The name of the Secret resource being referred to.
2941 type: string
2942 namespace:
2943 description: |-
2944 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2945 to the namespace of the referent.
2946 type: string
2947 type: object
2948 tenantId:
2949 description: The Azure tenantId of the managed identity used for authentication.
2950 properties:
2951 key:
2952 description: |-
2953 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
2954 defaulted, in others it may be required.
2955 type: string
2956 name:
2957 description: The name of the Secret resource being referred to.
2958 type: string
2959 namespace:
2960 description: |-
2961 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
2962 to the namespace of the referent.
2963 type: string
2964 type: object
2965 type: object
2966 authType:
2967 default: ServicePrincipal
2968 description: |-
2969 Auth type defines how to authenticate to the keyvault service.
2970 Valid values are:
2971 - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
2972 - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
2973 enum:
2974 - ServicePrincipal
2975 - ManagedIdentity
2976 - WorkloadIdentity
2977 type: string
2978 environmentType:
2979 default: PublicCloud
2980 description: |-
2981 EnvironmentType specifies the Azure cloud environment endpoints to use for
2982 connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
2983 The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
2984 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
2985 enum:
2986 - PublicCloud
2987 - USGovernmentCloud
2988 - ChinaCloud
2989 - GermanCloud
2990 type: string
2991 identityId:
2992 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
2993 type: string
2994 serviceAccountRef:
2995 description: |-
2996 ServiceAccountRef specified the service account
2997 that should be used when authenticating with WorkloadIdentity.
2998 properties:
2999 audiences:
3000 description: |-
3001 Audience specifies the `aud` claim for the service account token
3002 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3003 then this audiences will be appended to the list
3004 items:
3005 type: string
3006 type: array
3007 name:
3008 description: The name of the ServiceAccount resource being referred to.
3009 type: string
3010 namespace:
3011 description: |-
3012 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3013 to the namespace of the referent.
3014 type: string
3015 required:
3016 - name
3017 type: object
3018 tenantId:
3019 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
3020 type: string
3021 vaultUrl:
3022 description: Vault Url from which the secrets to be fetched from.
3023 type: string
3024 required:
3025 - vaultUrl
3026 type: object
3027 chef:
3028 description: Chef configures this store to sync secrets with chef server
3029 properties:
3030 auth:
3031 description: Auth defines the information necessary to authenticate against chef Server
3032 properties:
3033 secretRef:
3034 description: ChefAuthSecretRef holds secret references for chef server login credentials.
3035 properties:
3036 privateKeySecretRef:
3037 description: SecretKey is the Signing Key in PEM format, used for authentication.
3038 properties:
3039 key:
3040 description: |-
3041 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3042 defaulted, in others it may be required.
3043 type: string
3044 name:
3045 description: The name of the Secret resource being referred to.
3046 type: string
3047 namespace:
3048 description: |-
3049 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3050 to the namespace of the referent.
3051 type: string
3052 type: object
3053 required:
3054 - privateKeySecretRef
3055 type: object
3056 required:
3057 - secretRef
3058 type: object
3059 serverUrl:
3060 description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
3061 type: string
3062 username:
3063 description: UserName should be the user ID on the chef server
3064 type: string
3065 required:
3066 - auth
3067 - serverUrl
3068 - username
3069 type: object
3070 conjur:
3071 description: Conjur configures this store to sync secrets using conjur provider
3072 properties:
3073 auth:
3074 properties:
3075 apikey:
3076 properties:
3077 account:
3078 type: string
3079 apiKeyRef:
3080 description: |-
3081 A reference to a specific 'key' within a Secret resource,
3082 In some instances, `key` is a required field.
3083 properties:
3084 key:
3085 description: |-
3086 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3087 defaulted, in others it may be required.
3088 type: string
3089 name:
3090 description: The name of the Secret resource being referred to.
3091 type: string
3092 namespace:
3093 description: |-
3094 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3095 to the namespace of the referent.
3096 type: string
3097 type: object
3098 userRef:
3099 description: |-
3100 A reference to a specific 'key' within a Secret resource,
3101 In some instances, `key` is a required field.
3102 properties:
3103 key:
3104 description: |-
3105 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3106 defaulted, in others it may be required.
3107 type: string
3108 name:
3109 description: The name of the Secret resource being referred to.
3110 type: string
3111 namespace:
3112 description: |-
3113 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3114 to the namespace of the referent.
3115 type: string
3116 type: object
3117 required:
3118 - account
3119 - apiKeyRef
3120 - userRef
3121 type: object
3122 jwt:
3123 properties:
3124 account:
3125 type: string
3126 hostId:
3127 description: |-
3128 Optional HostID for JWT authentication. This may be used depending
3129 on how the Conjur JWT authenticator policy is configured.
3130 type: string
3131 secretRef:
3132 description: |-
3133 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
3134 authenticate with Conjur using the JWT authentication method.
3135 properties:
3136 key:
3137 description: |-
3138 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3139 defaulted, in others it may be required.
3140 type: string
3141 name:
3142 description: The name of the Secret resource being referred to.
3143 type: string
3144 namespace:
3145 description: |-
3146 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3147 to the namespace of the referent.
3148 type: string
3149 type: object
3150 serviceAccountRef:
3151 description: |-
3152 Optional ServiceAccountRef specifies the Kubernetes service account for which to request
3153 a token for with the `TokenRequest` API.
3154 properties:
3155 audiences:
3156 description: |-
3157 Audience specifies the `aud` claim for the service account token
3158 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3159 then this audiences will be appended to the list
3160 items:
3161 type: string
3162 type: array
3163 name:
3164 description: The name of the ServiceAccount resource being referred to.
3165 type: string
3166 namespace:
3167 description: |-
3168 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3169 to the namespace of the referent.
3170 type: string
3171 required:
3172 - name
3173 type: object
3174 serviceID:
3175 description: The conjur authn jwt webservice id
3176 type: string
3177 required:
3178 - account
3179 - serviceID
3180 type: object
3181 type: object
3182 caBundle:
3183 type: string
3184 caProvider:
3185 description: |-
3186 Used to provide custom certificate authority (CA) certificates
3187 for a secret store. The CAProvider points to a Secret or ConfigMap resource
3188 that contains a PEM-encoded certificate.
3189 properties:
3190 key:
3191 description: The key where the CA certificate can be found in the Secret or ConfigMap.
3192 type: string
3193 name:
3194 description: The name of the object located at the provider type.
3195 type: string
3196 namespace:
3197 description: |-
3198 The namespace the Provider type is in.
3199 Can only be defined when used in a ClusterSecretStore.
3200 type: string
3201 type:
3202 description: The type of provider to use such as "Secret", or "ConfigMap".
3203 enum:
3204 - Secret
3205 - ConfigMap
3206 type: string
3207 required:
3208 - name
3209 - type
3210 type: object
3211 url:
3212 type: string
3213 required:
3214 - auth
3215 - url
3216 type: object
3217 delinea:
3218 description: |-
3219 Delinea DevOps Secrets Vault
3220 https://docs.delinea.com/online-help/products/devops-secrets-vault/current
3221 properties:
3222 clientId:
3223 description: ClientID is the non-secret part of the credential.
3224 properties:
3225 secretRef:
3226 description: SecretRef references a key in a secret that will be used as value.
3227 properties:
3228 key:
3229 description: |-
3230 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3231 defaulted, in others it may be required.
3232 type: string
3233 name:
3234 description: The name of the Secret resource being referred to.
3235 type: string
3236 namespace:
3237 description: |-
3238 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3239 to the namespace of the referent.
3240 type: string
3241 type: object
3242 value:
3243 description: Value can be specified directly to set a value without using a secret.
3244 type: string
3245 type: object
3246 clientSecret:
3247 description: ClientSecret is the secret part of the credential.
3248 properties:
3249 secretRef:
3250 description: SecretRef references a key in a secret that will be used as value.
3251 properties:
3252 key:
3253 description: |-
3254 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3255 defaulted, in others it may be required.
3256 type: string
3257 name:
3258 description: The name of the Secret resource being referred to.
3259 type: string
3260 namespace:
3261 description: |-
3262 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3263 to the namespace of the referent.
3264 type: string
3265 type: object
3266 value:
3267 description: Value can be specified directly to set a value without using a secret.
3268 type: string
3269 type: object
3270 tenant:
3271 description: Tenant is the chosen hostname / site name.
3272 type: string
3273 tld:
3274 description: |-
3275 TLD is based on the server location that was chosen during provisioning.
3276 If unset, defaults to "com".
3277 type: string
3278 urlTemplate:
3279 description: |-
3280 URLTemplate
3281 If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
3282 type: string
3283 required:
3284 - clientId
3285 - clientSecret
3286 - tenant
3287 type: object
3288 doppler:
3289 description: Doppler configures this store to sync secrets using the Doppler provider
3290 properties:
3291 auth:
3292 description: Auth configures how the Operator authenticates with the Doppler API
3293 properties:
3294 secretRef:
3295 properties:
3296 dopplerToken:
3297 description: |-
3298 The DopplerToken is used for authentication.
3299 See https://docs.doppler.com/reference/api#authentication for auth token types.
3300 The Key attribute defaults to dopplerToken if not specified.
3301 properties:
3302 key:
3303 description: |-
3304 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3305 defaulted, in others it may be required.
3306 type: string
3307 name:
3308 description: The name of the Secret resource being referred to.
3309 type: string
3310 namespace:
3311 description: |-
3312 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3313 to the namespace of the referent.
3314 type: string
3315 type: object
3316 required:
3317 - dopplerToken
3318 type: object
3319 required:
3320 - secretRef
3321 type: object
3322 config:
3323 description: Doppler config (required if not using a Service Token)
3324 type: string
3325 format:
3326 description: Format enables the downloading of secrets as a file (string)
3327 enum:
3328 - json
3329 - dotnet-json
3330 - env
3331 - yaml
3332 - docker
3333 type: string
3334 nameTransformer:
3335 description: Environment variable compatible name transforms that change secret names to a different format
3336 enum:
3337 - upper-camel
3338 - camel
3339 - lower-snake
3340 - tf-var
3341 - dotnet-env
3342 - lower-kebab
3343 type: string
3344 project:
3345 description: Doppler project (required if not using a Service Token)
3346 type: string
3347 required:
3348 - auth
3349 type: object
3350 fake:
3351 description: Fake configures a store with static key/value pairs
3352 properties:
3353 data:
3354 items:
3355 properties:
3356 key:
3357 type: string
3358 value:
3359 type: string
3360 valueMap:
3361 additionalProperties:
3362 type: string
3363 description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
3364 type: object
3365 version:
3366 type: string
3367 required:
3368 - key
3369 type: object
3370 type: array
3371 required:
3372 - data
3373 type: object
3374 fortanix:
3375 description: Fortanix configures this store to sync secrets using the Fortanix provider
3376 properties:
3377 apiKey:
3378 description: APIKey is the API token to access SDKMS Applications.
3379 properties:
3380 secretRef:
3381 description: SecretRef is a reference to a secret containing the SDKMS API Key.
3382 properties:
3383 key:
3384 description: |-
3385 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3386 defaulted, in others it may be required.
3387 type: string
3388 name:
3389 description: The name of the Secret resource being referred to.
3390 type: string
3391 namespace:
3392 description: |-
3393 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3394 to the namespace of the referent.
3395 type: string
3396 type: object
3397 type: object
3398 apiUrl:
3399 description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
3400 type: string
3401 type: object
3402 gcpsm:
3403 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
3404 properties:
3405 auth:
3406 description: Auth defines the information necessary to authenticate against GCP
3407 properties:
3408 secretRef:
3409 properties:
3410 secretAccessKeySecretRef:
3411 description: The SecretAccessKey is used for authentication
3412 properties:
3413 key:
3414 description: |-
3415 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3416 defaulted, in others it may be required.
3417 type: string
3418 name:
3419 description: The name of the Secret resource being referred to.
3420 type: string
3421 namespace:
3422 description: |-
3423 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3424 to the namespace of the referent.
3425 type: string
3426 type: object
3427 type: object
3428 workloadIdentity:
3429 properties:
3430 clusterLocation:
3431 type: string
3432 clusterName:
3433 type: string
3434 clusterProjectID:
3435 type: string
3436 serviceAccountRef:
3437 description: A reference to a ServiceAccount resource.
3438 properties:
3439 audiences:
3440 description: |-
3441 Audience specifies the `aud` claim for the service account token
3442 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3443 then this audiences will be appended to the list
3444 items:
3445 type: string
3446 type: array
3447 name:
3448 description: The name of the ServiceAccount resource being referred to.
3449 type: string
3450 namespace:
3451 description: |-
3452 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3453 to the namespace of the referent.
3454 type: string
3455 required:
3456 - name
3457 type: object
3458 required:
3459 - clusterLocation
3460 - clusterName
3461 - serviceAccountRef
3462 type: object
3463 type: object
3464 projectID:
3465 description: ProjectID project where secret is located
3466 type: string
3467 type: object
3468 gitlab:
3469 description: GitLab configures this store to sync secrets using GitLab Variables provider
3470 properties:
3471 auth:
3472 description: Auth configures how secret-manager authenticates with a GitLab instance.
3473 properties:
3474 SecretRef:
3475 properties:
3476 accessToken:
3477 description: AccessToken is used for authentication.
3478 properties:
3479 key:
3480 description: |-
3481 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3482 defaulted, in others it may be required.
3483 type: string
3484 name:
3485 description: The name of the Secret resource being referred to.
3486 type: string
3487 namespace:
3488 description: |-
3489 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3490 to the namespace of the referent.
3491 type: string
3492 type: object
3493 type: object
3494 required:
3495 - SecretRef
3496 type: object
3497 environment:
3498 description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
3499 type: string
3500 groupIDs:
3501 description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
3502 items:
3503 type: string
3504 type: array
3505 inheritFromGroups:
3506 description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
3507 type: boolean
3508 projectID:
3509 description: ProjectID specifies a project where secrets are located.
3510 type: string
3511 url:
3512 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
3513 type: string
3514 required:
3515 - auth
3516 type: object
3517 ibm:
3518 description: IBM configures this store to sync secrets using IBM Cloud provider
3519 properties:
3520 auth:
3521 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
3522 maxProperties: 1
3523 minProperties: 1
3524 properties:
3525 containerAuth:
3526 description: IBM Container-based auth with IAM Trusted Profile.
3527 properties:
3528 iamEndpoint:
3529 type: string
3530 profile:
3531 description: the IBM Trusted Profile
3532 type: string
3533 tokenLocation:
3534 description: Location the token is mounted on the pod
3535 type: string
3536 required:
3537 - profile
3538 type: object
3539 secretRef:
3540 properties:
3541 secretApiKeySecretRef:
3542 description: The SecretAccessKey is used for authentication
3543 properties:
3544 key:
3545 description: |-
3546 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3547 defaulted, in others it may be required.
3548 type: string
3549 name:
3550 description: The name of the Secret resource being referred to.
3551 type: string
3552 namespace:
3553 description: |-
3554 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3555 to the namespace of the referent.
3556 type: string
3557 type: object
3558 type: object
3559 type: object
3560 serviceUrl:
3561 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
3562 type: string
3563 required:
3564 - auth
3565 type: object
3566 keepersecurity:
3567 description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
3568 properties:
3569 authRef:
3570 description: |-
3571 A reference to a specific 'key' within a Secret resource,
3572 In some instances, `key` is a required field.
3573 properties:
3574 key:
3575 description: |-
3576 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3577 defaulted, in others it may be required.
3578 type: string
3579 name:
3580 description: The name of the Secret resource being referred to.
3581 type: string
3582 namespace:
3583 description: |-
3584 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3585 to the namespace of the referent.
3586 type: string
3587 type: object
3588 folderID:
3589 type: string
3590 required:
3591 - authRef
3592 - folderID
3593 type: object
3594 kubernetes:
3595 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
3596 properties:
3597 auth:
3598 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
3599 maxProperties: 1
3600 minProperties: 1
3601 properties:
3602 cert:
3603 description: has both clientCert and clientKey as secretKeySelector
3604 properties:
3605 clientCert:
3606 description: |-
3607 A reference to a specific 'key' within a Secret resource,
3608 In some instances, `key` is a required field.
3609 properties:
3610 key:
3611 description: |-
3612 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3613 defaulted, in others it may be required.
3614 type: string
3615 name:
3616 description: The name of the Secret resource being referred to.
3617 type: string
3618 namespace:
3619 description: |-
3620 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3621 to the namespace of the referent.
3622 type: string
3623 type: object
3624 clientKey:
3625 description: |-
3626 A reference to a specific 'key' within a Secret resource,
3627 In some instances, `key` is a required field.
3628 properties:
3629 key:
3630 description: |-
3631 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3632 defaulted, in others it may be required.
3633 type: string
3634 name:
3635 description: The name of the Secret resource being referred to.
3636 type: string
3637 namespace:
3638 description: |-
3639 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3640 to the namespace of the referent.
3641 type: string
3642 type: object
3643 type: object
3644 serviceAccount:
3645 description: points to a service account that should be used for authentication
3646 properties:
3647 audiences:
3648 description: |-
3649 Audience specifies the `aud` claim for the service account token
3650 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3651 then this audiences will be appended to the list
3652 items:
3653 type: string
3654 type: array
3655 name:
3656 description: The name of the ServiceAccount resource being referred to.
3657 type: string
3658 namespace:
3659 description: |-
3660 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3661 to the namespace of the referent.
3662 type: string
3663 required:
3664 - name
3665 type: object
3666 token:
3667 description: use static token to authenticate with
3668 properties:
3669 bearerToken:
3670 description: |-
3671 A reference to a specific 'key' within a Secret resource,
3672 In some instances, `key` is a required field.
3673 properties:
3674 key:
3675 description: |-
3676 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3677 defaulted, in others it may be required.
3678 type: string
3679 name:
3680 description: The name of the Secret resource being referred to.
3681 type: string
3682 namespace:
3683 description: |-
3684 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3685 to the namespace of the referent.
3686 type: string
3687 type: object
3688 type: object
3689 type: object
3690 remoteNamespace:
3691 default: default
3692 description: Remote namespace to fetch the secrets from
3693 type: string
3694 server:
3695 description: configures the Kubernetes server Address.
3696 properties:
3697 caBundle:
3698 description: CABundle is a base64-encoded CA certificate
3699 format: byte
3700 type: string
3701 caProvider:
3702 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
3703 properties:
3704 key:
3705 description: The key where the CA certificate can be found in the Secret or ConfigMap.
3706 type: string
3707 name:
3708 description: The name of the object located at the provider type.
3709 type: string
3710 namespace:
3711 description: |-
3712 The namespace the Provider type is in.
3713 Can only be defined when used in a ClusterSecretStore.
3714 type: string
3715 type:
3716 description: The type of provider to use such as "Secret", or "ConfigMap".
3717 enum:
3718 - Secret
3719 - ConfigMap
3720 type: string
3721 required:
3722 - name
3723 - type
3724 type: object
3725 url:
3726 default: kubernetes.default
3727 description: configures the Kubernetes server Address.
3728 type: string
3729 type: object
3730 required:
3731 - auth
3732 type: object
3733 onboardbase:
3734 description: Onboardbase configures this store to sync secrets using the Onboardbase provider
3735 properties:
3736 apiHost:
3737 default: https://public.onboardbase.com/api/v1/
3738 description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
3739 type: string
3740 auth:
3741 description: Auth configures how the Operator authenticates with the Onboardbase API
3742 properties:
3743 apiKeyRef:
3744 description: |-
3745 OnboardbaseAPIKey is the APIKey generated by an admin account.
3746 It is used to recognize and authorize access to a project and environment within onboardbase
3747 properties:
3748 key:
3749 description: |-
3750 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3751 defaulted, in others it may be required.
3752 type: string
3753 name:
3754 description: The name of the Secret resource being referred to.
3755 type: string
3756 namespace:
3757 description: |-
3758 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3759 to the namespace of the referent.
3760 type: string
3761 type: object
3762 passcodeRef:
3763 description: OnboardbasePasscode is the passcode attached to the API Key
3764 properties:
3765 key:
3766 description: |-
3767 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3768 defaulted, in others it may be required.
3769 type: string
3770 name:
3771 description: The name of the Secret resource being referred to.
3772 type: string
3773 namespace:
3774 description: |-
3775 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3776 to the namespace of the referent.
3777 type: string
3778 type: object
3779 required:
3780 - apiKeyRef
3781 - passcodeRef
3782 type: object
3783 environment:
3784 default: development
3785 description: Environment is the name of an environmnent within a project to pull the secrets from
3786 type: string
3787 project:
3788 default: development
3789 description: Project is an onboardbase project that the secrets should be pulled from
3790 type: string
3791 required:
3792 - apiHost
3793 - auth
3794 - environment
3795 - project
3796 type: object
3797 onepassword:
3798 description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
3799 properties:
3800 auth:
3801 description: Auth defines the information necessary to authenticate against OnePassword Connect Server
3802 properties:
3803 secretRef:
3804 description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
3805 properties:
3806 connectTokenSecretRef:
3807 description: The ConnectToken is used for authentication to a 1Password Connect Server.
3808 properties:
3809 key:
3810 description: |-
3811 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3812 defaulted, in others it may be required.
3813 type: string
3814 name:
3815 description: The name of the Secret resource being referred to.
3816 type: string
3817 namespace:
3818 description: |-
3819 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3820 to the namespace of the referent.
3821 type: string
3822 type: object
3823 required:
3824 - connectTokenSecretRef
3825 type: object
3826 required:
3827 - secretRef
3828 type: object
3829 connectHost:
3830 description: ConnectHost defines the OnePassword Connect Server to connect to
3831 type: string
3832 vaults:
3833 additionalProperties:
3834 type: integer
3835 description: Vaults defines which OnePassword vaults to search in which order
3836 type: object
3837 required:
3838 - auth
3839 - connectHost
3840 - vaults
3841 type: object
3842 oracle:
3843 description: Oracle configures this store to sync secrets using Oracle Vault provider
3844 properties:
3845 auth:
3846 description: |-
3847 Auth configures how secret-manager authenticates with the Oracle Vault.
3848 If empty, use the instance principal, otherwise the user credentials specified in Auth.
3849 properties:
3850 secretRef:
3851 description: SecretRef to pass through sensitive information.
3852 properties:
3853 fingerprint:
3854 description: Fingerprint is the fingerprint of the API private key.
3855 properties:
3856 key:
3857 description: |-
3858 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3859 defaulted, in others it may be required.
3860 type: string
3861 name:
3862 description: The name of the Secret resource being referred to.
3863 type: string
3864 namespace:
3865 description: |-
3866 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3867 to the namespace of the referent.
3868 type: string
3869 type: object
3870 privatekey:
3871 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
3872 properties:
3873 key:
3874 description: |-
3875 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3876 defaulted, in others it may be required.
3877 type: string
3878 name:
3879 description: The name of the Secret resource being referred to.
3880 type: string
3881 namespace:
3882 description: |-
3883 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3884 to the namespace of the referent.
3885 type: string
3886 type: object
3887 required:
3888 - fingerprint
3889 - privatekey
3890 type: object
3891 tenancy:
3892 description: Tenancy is the tenancy OCID where user is located.
3893 type: string
3894 user:
3895 description: User is an access OCID specific to the account.
3896 type: string
3897 required:
3898 - secretRef
3899 - tenancy
3900 - user
3901 type: object
3902 compartment:
3903 description: |-
3904 Compartment is the vault compartment OCID.
3905 Required for PushSecret
3906 type: string
3907 encryptionKey:
3908 description: |-
3909 EncryptionKey is the OCID of the encryption key within the vault.
3910 Required for PushSecret
3911 type: string
3912 principalType:
3913 description: |-
3914 The type of principal to use for authentication. If left blank, the Auth struct will
3915 determine the principal type. This optional field must be specified if using
3916 workload identity.
3917 enum:
3918 - ""
3919 - UserPrincipal
3920 - InstancePrincipal
3921 - Workload
3922 type: string
3923 region:
3924 description: Region is the region where vault is located.
3925 type: string
3926 serviceAccountRef:
3927 description: |-
3928 ServiceAccountRef specified the service account
3929 that should be used when authenticating with WorkloadIdentity.
3930 properties:
3931 audiences:
3932 description: |-
3933 Audience specifies the `aud` claim for the service account token
3934 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
3935 then this audiences will be appended to the list
3936 items:
3937 type: string
3938 type: array
3939 name:
3940 description: The name of the ServiceAccount resource being referred to.
3941 type: string
3942 namespace:
3943 description: |-
3944 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3945 to the namespace of the referent.
3946 type: string
3947 required:
3948 - name
3949 type: object
3950 vault:
3951 description: Vault is the vault's OCID of the specific vault where secret is located.
3952 type: string
3953 required:
3954 - region
3955 - vault
3956 type: object
3957 passbolt:
3958 properties:
3959 auth:
3960 description: Auth defines the information necessary to authenticate against Passbolt Server
3961 properties:
3962 passwordSecretRef:
3963 description: |-
3964 A reference to a specific 'key' within a Secret resource,
3965 In some instances, `key` is a required field.
3966 properties:
3967 key:
3968 description: |-
3969 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3970 defaulted, in others it may be required.
3971 type: string
3972 name:
3973 description: The name of the Secret resource being referred to.
3974 type: string
3975 namespace:
3976 description: |-
3977 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3978 to the namespace of the referent.
3979 type: string
3980 type: object
3981 privateKeySecretRef:
3982 description: |-
3983 A reference to a specific 'key' within a Secret resource,
3984 In some instances, `key` is a required field.
3985 properties:
3986 key:
3987 description: |-
3988 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
3989 defaulted, in others it may be required.
3990 type: string
3991 name:
3992 description: The name of the Secret resource being referred to.
3993 type: string
3994 namespace:
3995 description: |-
3996 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
3997 to the namespace of the referent.
3998 type: string
3999 type: object
4000 required:
4001 - passwordSecretRef
4002 - privateKeySecretRef
4003 type: object
4004 host:
4005 description: Host defines the Passbolt Server to connect to
4006 type: string
4007 required:
4008 - auth
4009 - host
4010 type: object
4011 passworddepot:
4012 description: Configures a store to sync secrets with a Password Depot instance.
4013 properties:
4014 auth:
4015 description: Auth configures how secret-manager authenticates with a Password Depot instance.
4016 properties:
4017 secretRef:
4018 properties:
4019 credentials:
4020 description: Username / Password is used for authentication.
4021 properties:
4022 key:
4023 description: |-
4024 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4025 defaulted, in others it may be required.
4026 type: string
4027 name:
4028 description: The name of the Secret resource being referred to.
4029 type: string
4030 namespace:
4031 description: |-
4032 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4033 to the namespace of the referent.
4034 type: string
4035 type: object
4036 type: object
4037 required:
4038 - secretRef
4039 type: object
4040 database:
4041 description: Database to use as source
4042 type: string
4043 host:
4044 description: URL configures the Password Depot instance URL.
4045 type: string
4046 required:
4047 - auth
4048 - database
4049 - host
4050 type: object
4051 pulumi:
4052 description: Pulumi configures this store to sync secrets using the Pulumi provider
4053 properties:
4054 accessToken:
4055 description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
4056 properties:
4057 secretRef:
4058 description: SecretRef is a reference to a secret containing the Pulumi API token.
4059 properties:
4060 key:
4061 description: |-
4062 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4063 defaulted, in others it may be required.
4064 type: string
4065 name:
4066 description: The name of the Secret resource being referred to.
4067 type: string
4068 namespace:
4069 description: |-
4070 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4071 to the namespace of the referent.
4072 type: string
4073 type: object
4074 type: object
4075 apiUrl:
4076 default: https://api.pulumi.com
4077 description: APIURL is the URL of the Pulumi API.
4078 type: string
4079 environment:
4080 description: |-
4081 Environment are YAML documents composed of static key-value pairs, programmatic expressions,
4082 dynamically retrieved values from supported providers including all major clouds,
4083 and other Pulumi ESC environments.
4084 To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
4085 type: string
4086 organization:
4087 description: |-
4088 Organization are a space to collaborate on shared projects and stacks.
4089 To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
4090 type: string
4091 required:
4092 - accessToken
4093 - environment
4094 - organization
4095 type: object
4096 scaleway:
4097 description: Scaleway
4098 properties:
4099 accessKey:
4100 description: AccessKey is the non-secret part of the api key.
4101 properties:
4102 secretRef:
4103 description: SecretRef references a key in a secret that will be used as value.
4104 properties:
4105 key:
4106 description: |-
4107 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4108 defaulted, in others it may be required.
4109 type: string
4110 name:
4111 description: The name of the Secret resource being referred to.
4112 type: string
4113 namespace:
4114 description: |-
4115 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4116 to the namespace of the referent.
4117 type: string
4118 type: object
4119 value:
4120 description: Value can be specified directly to set a value without using a secret.
4121 type: string
4122 type: object
4123 apiUrl:
4124 description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
4125 type: string
4126 projectId:
4127 description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
4128 type: string
4129 region:
4130 description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
4131 type: string
4132 secretKey:
4133 description: SecretKey is the non-secret part of the api key.
4134 properties:
4135 secretRef:
4136 description: SecretRef references a key in a secret that will be used as value.
4137 properties:
4138 key:
4139 description: |-
4140 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4141 defaulted, in others it may be required.
4142 type: string
4143 name:
4144 description: The name of the Secret resource being referred to.
4145 type: string
4146 namespace:
4147 description: |-
4148 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4149 to the namespace of the referent.
4150 type: string
4151 type: object
4152 value:
4153 description: Value can be specified directly to set a value without using a secret.
4154 type: string
4155 type: object
4156 required:
4157 - accessKey
4158 - projectId
4159 - region
4160 - secretKey
4161 type: object
4162 senhasegura:
4163 description: Senhasegura configures this store to sync secrets using senhasegura provider
4164 properties:
4165 auth:
4166 description: Auth defines parameters to authenticate in senhasegura
4167 properties:
4168 clientId:
4169 type: string
4170 clientSecretSecretRef:
4171 description: |-
4172 A reference to a specific 'key' within a Secret resource,
4173 In some instances, `key` is a required field.
4174 properties:
4175 key:
4176 description: |-
4177 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4178 defaulted, in others it may be required.
4179 type: string
4180 name:
4181 description: The name of the Secret resource being referred to.
4182 type: string
4183 namespace:
4184 description: |-
4185 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4186 to the namespace of the referent.
4187 type: string
4188 type: object
4189 required:
4190 - clientId
4191 - clientSecretSecretRef
4192 type: object
4193 ignoreSslCertificate:
4194 default: false
4195 description: IgnoreSslCertificate defines if SSL certificate must be ignored
4196 type: boolean
4197 module:
4198 description: Module defines which senhasegura module should be used to get secrets
4199 type: string
4200 url:
4201 description: URL of senhasegura
4202 type: string
4203 required:
4204 - auth
4205 - module
4206 - url
4207 type: object
4208 vault:
4209 description: Vault configures this store to sync secrets using Hashi provider
4210 properties:
4211 auth:
4212 description: Auth configures how secret-manager authenticates with the Vault server.
4213 properties:
4214 appRole:
4215 description: |-
4216 AppRole authenticates with Vault using the App Role auth mechanism,
4217 with the role and secret stored in a Kubernetes Secret resource.
4218 properties:
4219 path:
4220 default: approle
4221 description: |-
4222 Path where the App Role authentication backend is mounted
4223 in Vault, e.g: "approle"
4224 type: string
4225 roleId:
4226 description: |-
4227 RoleID configured in the App Role authentication backend when setting
4228 up the authentication backend in Vault.
4229 type: string
4230 roleRef:
4231 description: |-
4232 Reference to a key in a Secret that contains the App Role ID used
4233 to authenticate with Vault.
4234 The `key` field must be specified and denotes which entry within the Secret
4235 resource is used as the app role id.
4236 properties:
4237 key:
4238 description: |-
4239 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4240 defaulted, in others it may be required.
4241 type: string
4242 name:
4243 description: The name of the Secret resource being referred to.
4244 type: string
4245 namespace:
4246 description: |-
4247 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4248 to the namespace of the referent.
4249 type: string
4250 type: object
4251 secretRef:
4252 description: |-
4253 Reference to a key in a Secret that contains the App Role secret used
4254 to authenticate with Vault.
4255 The `key` field must be specified and denotes which entry within the Secret
4256 resource is used as the app role secret.
4257 properties:
4258 key:
4259 description: |-
4260 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4261 defaulted, in others it may be required.
4262 type: string
4263 name:
4264 description: The name of the Secret resource being referred to.
4265 type: string
4266 namespace:
4267 description: |-
4268 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4269 to the namespace of the referent.
4270 type: string
4271 type: object
4272 required:
4273 - path
4274 - secretRef
4275 type: object
4276 cert:
4277 description: |-
4278 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
4279 Cert authentication method
4280 properties:
4281 clientCert:
4282 description: |-
4283 ClientCert is a certificate to authenticate using the Cert Vault
4284 authentication method
4285 properties:
4286 key:
4287 description: |-
4288 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4289 defaulted, in others it may be required.
4290 type: string
4291 name:
4292 description: The name of the Secret resource being referred to.
4293 type: string
4294 namespace:
4295 description: |-
4296 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4297 to the namespace of the referent.
4298 type: string
4299 type: object
4300 secretRef:
4301 description: |-
4302 SecretRef to a key in a Secret resource containing client private key to
4303 authenticate with Vault using the Cert authentication method
4304 properties:
4305 key:
4306 description: |-
4307 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4308 defaulted, in others it may be required.
4309 type: string
4310 name:
4311 description: The name of the Secret resource being referred to.
4312 type: string
4313 namespace:
4314 description: |-
4315 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4316 to the namespace of the referent.
4317 type: string
4318 type: object
4319 type: object
4320 iam:
4321 description: |-
4322 Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
4323 AWS IAM authentication method
4324 properties:
4325 externalID:
4326 description: AWS External ID set on assumed IAM roles
4327 type: string
4328 jwt:
4329 description: Specify a service account with IRSA enabled
4330 properties:
4331 serviceAccountRef:
4332 description: A reference to a ServiceAccount resource.
4333 properties:
4334 audiences:
4335 description: |-
4336 Audience specifies the `aud` claim for the service account token
4337 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
4338 then this audiences will be appended to the list
4339 items:
4340 type: string
4341 type: array
4342 name:
4343 description: The name of the ServiceAccount resource being referred to.
4344 type: string
4345 namespace:
4346 description: |-
4347 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4348 to the namespace of the referent.
4349 type: string
4350 required:
4351 - name
4352 type: object
4353 type: object
4354 path:
4355 description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
4356 type: string
4357 region:
4358 description: AWS region
4359 type: string
4360 role:
4361 description: This is the AWS role to be assumed before talking to vault
4362 type: string
4363 secretRef:
4364 description: Specify credentials in a Secret object
4365 properties:
4366 accessKeyIDSecretRef:
4367 description: The AccessKeyID is used for authentication
4368 properties:
4369 key:
4370 description: |-
4371 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4372 defaulted, in others it may be required.
4373 type: string
4374 name:
4375 description: The name of the Secret resource being referred to.
4376 type: string
4377 namespace:
4378 description: |-
4379 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4380 to the namespace of the referent.
4381 type: string
4382 type: object
4383 secretAccessKeySecretRef:
4384 description: The SecretAccessKey is used for authentication
4385 properties:
4386 key:
4387 description: |-
4388 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4389 defaulted, in others it may be required.
4390 type: string
4391 name:
4392 description: The name of the Secret resource being referred to.
4393 type: string
4394 namespace:
4395 description: |-
4396 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4397 to the namespace of the referent.
4398 type: string
4399 type: object
4400 sessionTokenSecretRef:
4401 description: |-
4402 The SessionToken used for authentication
4403 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
4404 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
4405 properties:
4406 key:
4407 description: |-
4408 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4409 defaulted, in others it may be required.
4410 type: string
4411 name:
4412 description: The name of the Secret resource being referred to.
4413 type: string
4414 namespace:
4415 description: |-
4416 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4417 to the namespace of the referent.
4418 type: string
4419 type: object
4420 type: object
4421 vaultAwsIamServerID:
4422 description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
4423 type: string
4424 vaultRole:
4425 description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
4426 type: string
4427 required:
4428 - vaultRole
4429 type: object
4430 jwt:
4431 description: |-
4432 Jwt authenticates with Vault by passing role and JWT token using the
4433 JWT/OIDC authentication method
4434 properties:
4435 kubernetesServiceAccountToken:
4436 description: |-
4437 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
4438 a token for with the `TokenRequest` API.
4439 properties:
4440 audiences:
4441 description: |-
4442 Optional audiences field that will be used to request a temporary Kubernetes service
4443 account token for the service account referenced by `serviceAccountRef`.
4444 Defaults to a single audience `vault` it not specified.
4445 Deprecated: use serviceAccountRef.Audiences instead
4446 items:
4447 type: string
4448 type: array
4449 expirationSeconds:
4450 description: |-
4451 Optional expiration time in seconds that will be used to request a temporary
4452 Kubernetes service account token for the service account referenced by
4453 `serviceAccountRef`.
4454 Deprecated: this will be removed in the future.
4455 Defaults to 10 minutes.
4456 format: int64
4457 type: integer
4458 serviceAccountRef:
4459 description: Service account field containing the name of a kubernetes ServiceAccount.
4460 properties:
4461 audiences:
4462 description: |-
4463 Audience specifies the `aud` claim for the service account token
4464 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
4465 then this audiences will be appended to the list
4466 items:
4467 type: string
4468 type: array
4469 name:
4470 description: The name of the ServiceAccount resource being referred to.
4471 type: string
4472 namespace:
4473 description: |-
4474 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4475 to the namespace of the referent.
4476 type: string
4477 required:
4478 - name
4479 type: object
4480 required:
4481 - serviceAccountRef
4482 type: object
4483 path:
4484 default: jwt
4485 description: |-
4486 Path where the JWT authentication backend is mounted
4487 in Vault, e.g: "jwt"
4488 type: string
4489 role:
4490 description: |-
4491 Role is a JWT role to authenticate using the JWT/OIDC Vault
4492 authentication method
4493 type: string
4494 secretRef:
4495 description: |-
4496 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
4497 authenticate with Vault using the JWT/OIDC authentication method.
4498 properties:
4499 key:
4500 description: |-
4501 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4502 defaulted, in others it may be required.
4503 type: string
4504 name:
4505 description: The name of the Secret resource being referred to.
4506 type: string
4507 namespace:
4508 description: |-
4509 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4510 to the namespace of the referent.
4511 type: string
4512 type: object
4513 required:
4514 - path
4515 type: object
4516 kubernetes:
4517 description: |-
4518 Kubernetes authenticates with Vault by passing the ServiceAccount
4519 token stored in the named Secret resource to the Vault server.
4520 properties:
4521 mountPath:
4522 default: kubernetes
4523 description: |-
4524 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
4525 "kubernetes"
4526 type: string
4527 role:
4528 description: |-
4529 A required field containing the Vault Role to assume. A Role binds a
4530 Kubernetes ServiceAccount with a set of Vault policies.
4531 type: string
4532 secretRef:
4533 description: |-
4534 Optional secret field containing a Kubernetes ServiceAccount JWT used
4535 for authenticating with Vault. If a name is specified without a key,
4536 `token` is the default. If one is not specified, the one bound to
4537 the controller will be used.
4538 properties:
4539 key:
4540 description: |-
4541 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4542 defaulted, in others it may be required.
4543 type: string
4544 name:
4545 description: The name of the Secret resource being referred to.
4546 type: string
4547 namespace:
4548 description: |-
4549 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4550 to the namespace of the referent.
4551 type: string
4552 type: object
4553 serviceAccountRef:
4554 description: |-
4555 Optional service account field containing the name of a kubernetes ServiceAccount.
4556 If the service account is specified, the service account secret token JWT will be used
4557 for authenticating with Vault. If the service account selector is not supplied,
4558 the secretRef will be used instead.
4559 properties:
4560 audiences:
4561 description: |-
4562 Audience specifies the `aud` claim for the service account token
4563 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
4564 then this audiences will be appended to the list
4565 items:
4566 type: string
4567 type: array
4568 name:
4569 description: The name of the ServiceAccount resource being referred to.
4570 type: string
4571 namespace:
4572 description: |-
4573 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4574 to the namespace of the referent.
4575 type: string
4576 required:
4577 - name
4578 type: object
4579 required:
4580 - mountPath
4581 - role
4582 type: object
4583 ldap:
4584 description: |-
4585 Ldap authenticates with Vault by passing username/password pair using
4586 the LDAP authentication method
4587 properties:
4588 path:
4589 default: ldap
4590 description: |-
4591 Path where the LDAP authentication backend is mounted
4592 in Vault, e.g: "ldap"
4593 type: string
4594 secretRef:
4595 description: |-
4596 SecretRef to a key in a Secret resource containing password for the LDAP
4597 user used to authenticate with Vault using the LDAP authentication
4598 method
4599 properties:
4600 key:
4601 description: |-
4602 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4603 defaulted, in others it may be required.
4604 type: string
4605 name:
4606 description: The name of the Secret resource being referred to.
4607 type: string
4608 namespace:
4609 description: |-
4610 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4611 to the namespace of the referent.
4612 type: string
4613 type: object
4614 username:
4615 description: |-
4616 Username is a LDAP user name used to authenticate using the LDAP Vault
4617 authentication method
4618 type: string
4619 required:
4620 - path
4621 - username
4622 type: object
4623 namespace:
4624 description: |-
4625 Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
4626 Namespaces is a set of features within Vault Enterprise that allows
4627 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
4628 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
4629 This will default to Vault.Namespace field if set, or empty otherwise
4630 type: string
4631 tokenSecretRef:
4632 description: TokenSecretRef authenticates with Vault by presenting a token.
4633 properties:
4634 key:
4635 description: |-
4636 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4637 defaulted, in others it may be required.
4638 type: string
4639 name:
4640 description: The name of the Secret resource being referred to.
4641 type: string
4642 namespace:
4643 description: |-
4644 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4645 to the namespace of the referent.
4646 type: string
4647 type: object
4648 userPass:
4649 description: UserPass authenticates with Vault by passing username/password pair
4650 properties:
4651 path:
4652 default: user
4653 description: |-
4654 Path where the UserPassword authentication backend is mounted
4655 in Vault, e.g: "user"
4656 type: string
4657 secretRef:
4658 description: |-
4659 SecretRef to a key in a Secret resource containing password for the
4660 user used to authenticate with Vault using the UserPass authentication
4661 method
4662 properties:
4663 key:
4664 description: |-
4665 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4666 defaulted, in others it may be required.
4667 type: string
4668 name:
4669 description: The name of the Secret resource being referred to.
4670 type: string
4671 namespace:
4672 description: |-
4673 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4674 to the namespace of the referent.
4675 type: string
4676 type: object
4677 username:
4678 description: |-
4679 Username is a user name used to authenticate using the UserPass Vault
4680 authentication method
4681 type: string
4682 required:
4683 - path
4684 - username
4685 type: object
4686 type: object
4687 caBundle:
4688 description: |-
4689 PEM encoded CA bundle used to validate Vault server certificate. Only used
4690 if the Server URL is using HTTPS protocol. This parameter is ignored for
4691 plain HTTP protocol connection. If not set the system root certificates
4692 are used to validate the TLS connection.
4693 format: byte
4694 type: string
4695 caProvider:
4696 description: The provider for the CA bundle to use to validate Vault server certificate.
4697 properties:
4698 key:
4699 description: The key where the CA certificate can be found in the Secret or ConfigMap.
4700 type: string
4701 name:
4702 description: The name of the object located at the provider type.
4703 type: string
4704 namespace:
4705 description: |-
4706 The namespace the Provider type is in.
4707 Can only be defined when used in a ClusterSecretStore.
4708 type: string
4709 type:
4710 description: The type of provider to use such as "Secret", or "ConfigMap".
4711 enum:
4712 - Secret
4713 - ConfigMap
4714 type: string
4715 required:
4716 - name
4717 - type
4718 type: object
4719 forwardInconsistent:
4720 description: |-
4721 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
4722 leader instead of simply retrying within a loop. This can increase performance if
4723 the option is enabled serverside.
4724 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
4725 type: boolean
4726 namespace:
4727 description: |-
4728 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
4729 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
4730 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
4731 type: string
4732 path:
4733 description: |-
4734 Path is the mount path of the Vault KV backend endpoint, e.g:
4735 "secret". The v2 KV secret engine version specific "/data" path suffix
4736 for fetching secrets from Vault is optional and will be appended
4737 if not present in specified path.
4738 type: string
4739 readYourWrites:
4740 description: |-
4741 ReadYourWrites ensures isolated read-after-write semantics by
4742 providing discovered cluster replication states in each request.
4743 More information about eventual consistency in Vault can be found here
4744 https://www.vaultproject.io/docs/enterprise/consistency
4745 type: boolean
4746 server:
4747 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
4748 type: string
4749 tls:
4750 description: |-
4751 The configuration used for client side related TLS communication, when the Vault server
4752 requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
4753 This parameter is ignored for plain HTTP protocol connection.
4754 It's worth noting this configuration is different from the "TLS certificates auth method",
4755 which is available under the `auth.cert` section.
4756 properties:
4757 certSecretRef:
4758 description: |-
4759 CertSecretRef is a certificate added to the transport layer
4760 when communicating with the Vault server.
4761 If no key for the Secret is specified, external-secret will default to 'tls.crt'.
4762 properties:
4763 key:
4764 description: |-
4765 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4766 defaulted, in others it may be required.
4767 type: string
4768 name:
4769 description: The name of the Secret resource being referred to.
4770 type: string
4771 namespace:
4772 description: |-
4773 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4774 to the namespace of the referent.
4775 type: string
4776 type: object
4777 keySecretRef:
4778 description: |-
4779 KeySecretRef to a key in a Secret resource containing client private key
4780 added to the transport layer when communicating with the Vault server.
4781 If no key for the Secret is specified, external-secret will default to 'tls.key'.
4782 properties:
4783 key:
4784 description: |-
4785 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4786 defaulted, in others it may be required.
4787 type: string
4788 name:
4789 description: The name of the Secret resource being referred to.
4790 type: string
4791 namespace:
4792 description: |-
4793 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4794 to the namespace of the referent.
4795 type: string
4796 type: object
4797 type: object
4798 version:
4799 default: v2
4800 description: |-
4801 Version is the Vault KV secret engine version. This can be either "v1" or
4802 "v2". Version defaults to "v2".
4803 enum:
4804 - v1
4805 - v2
4806 type: string
4807 required:
4808 - auth
4809 - server
4810 type: object
4811 webhook:
4812 description: Webhook configures this store to sync secrets using a generic templated webhook
4813 properties:
4814 body:
4815 description: Body
4816 type: string
4817 caBundle:
4818 description: |-
4819 PEM encoded CA bundle used to validate webhook server certificate. Only used
4820 if the Server URL is using HTTPS protocol. This parameter is ignored for
4821 plain HTTP protocol connection. If not set the system root certificates
4822 are used to validate the TLS connection.
4823 format: byte
4824 type: string
4825 caProvider:
4826 description: The provider for the CA bundle to use to validate webhook server certificate.
4827 properties:
4828 key:
4829 description: The key the value inside of the provider type to use, only used with "Secret" type
4830 type: string
4831 name:
4832 description: The name of the object located at the provider type.
4833 type: string
4834 namespace:
4835 description: The namespace the Provider type is in.
4836 type: string
4837 type:
4838 description: The type of provider to use such as "Secret", or "ConfigMap".
4839 enum:
4840 - Secret
4841 - ConfigMap
4842 type: string
4843 required:
4844 - name
4845 - type
4846 type: object
4847 headers:
4848 additionalProperties:
4849 type: string
4850 description: Headers
4851 type: object
4852 method:
4853 description: Webhook Method
4854 type: string
4855 result:
4856 description: Result formatting
4857 properties:
4858 jsonPath:
4859 description: Json path of return value
4860 type: string
4861 type: object
4862 secrets:
4863 description: |-
4864 Secrets to fill in templates
4865 These secrets will be passed to the templating function as key value pairs under the given name
4866 items:
4867 properties:
4868 name:
4869 description: Name of this secret in templates
4870 type: string
4871 secretRef:
4872 description: Secret ref to fill in credentials
4873 properties:
4874 key:
4875 description: |-
4876 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4877 defaulted, in others it may be required.
4878 type: string
4879 name:
4880 description: The name of the Secret resource being referred to.
4881 type: string
4882 namespace:
4883 description: |-
4884 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4885 to the namespace of the referent.
4886 type: string
4887 type: object
4888 required:
4889 - name
4890 - secretRef
4891 type: object
4892 type: array
4893 timeout:
4894 description: Timeout
4895 type: string
4896 url:
4897 description: Webhook url to call
4898 type: string
4899 required:
4900 - result
4901 - url
4902 type: object
4903 yandexcertificatemanager:
4904 description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
4905 properties:
4906 apiEndpoint:
4907 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
4908 type: string
4909 auth:
4910 description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
4911 properties:
4912 authorizedKeySecretRef:
4913 description: The authorized key used for authentication
4914 properties:
4915 key:
4916 description: |-
4917 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4918 defaulted, in others it may be required.
4919 type: string
4920 name:
4921 description: The name of the Secret resource being referred to.
4922 type: string
4923 namespace:
4924 description: |-
4925 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4926 to the namespace of the referent.
4927 type: string
4928 type: object
4929 type: object
4930 caProvider:
4931 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
4932 properties:
4933 certSecretRef:
4934 description: |-
4935 A reference to a specific 'key' within a Secret resource,
4936 In some instances, `key` is a required field.
4937 properties:
4938 key:
4939 description: |-
4940 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4941 defaulted, in others it may be required.
4942 type: string
4943 name:
4944 description: The name of the Secret resource being referred to.
4945 type: string
4946 namespace:
4947 description: |-
4948 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4949 to the namespace of the referent.
4950 type: string
4951 type: object
4952 type: object
4953 required:
4954 - auth
4955 type: object
4956 yandexlockbox:
4957 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
4958 properties:
4959 apiEndpoint:
4960 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
4961 type: string
4962 auth:
4963 description: Auth defines the information necessary to authenticate against Yandex Lockbox
4964 properties:
4965 authorizedKeySecretRef:
4966 description: The authorized key used for authentication
4967 properties:
4968 key:
4969 description: |-
4970 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4971 defaulted, in others it may be required.
4972 type: string
4973 name:
4974 description: The name of the Secret resource being referred to.
4975 type: string
4976 namespace:
4977 description: |-
4978 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
4979 to the namespace of the referent.
4980 type: string
4981 type: object
4982 type: object
4983 caProvider:
4984 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
4985 properties:
4986 certSecretRef:
4987 description: |-
4988 A reference to a specific 'key' within a Secret resource,
4989 In some instances, `key` is a required field.
4990 properties:
4991 key:
4992 description: |-
4993 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
4994 defaulted, in others it may be required.
4995 type: string
4996 name:
4997 description: The name of the Secret resource being referred to.
4998 type: string
4999 namespace:
5000 description: |-
5001 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
5002 to the namespace of the referent.
5003 type: string
5004 type: object
5005 type: object
5006 required:
5007 - auth
5008 type: object
5009 type: object
5010 refreshInterval:
5011 description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
5012 type: integer
5013 retrySettings:
5014 description: Used to configure http retries if failed
5015 properties:
5016 maxRetries:
5017 format: int32
5018 type: integer
5019 retryInterval:
5020 type: string
5021 type: object
5022 required:
5023 - provider
5024 type: object
5025 status:
5026 description: SecretStoreStatus defines the observed state of the SecretStore.
5027 properties:
5028 capabilities:
5029 description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
5030 type: string
5031 conditions:
5032 items:
5033 properties:
5034 lastTransitionTime:
5035 format: date-time
5036 type: string
5037 message:
5038 type: string
5039 reason:
5040 type: string
5041 status:
5042 type: string
5043 type:
5044 type: string
5045 required:
5046 - status
5047 - type
5048 type: object
5049 type: array
5050 type: object
5051 type: object
5052 served: true
5053 storage: true
5054 subresources:
5055 status: {}
5056 conversion:
5057 strategy: Webhook
5058 webhook:
5059 conversionReviewVersions:
5060 - v1
5061 clientConfig:
5062 service:
5063 name: external-secrets-webhook
5064 namespace: "default"
5065 path: /convert
5066---
5067# Source: external-secrets/templates/crds/ecrauthorizationtoken.yaml
5068apiVersion: apiextensions.k8s.io/v1
5069kind: CustomResourceDefinition
5070metadata:
5071 annotations:
5072 controller-gen.kubebuilder.io/version: v0.14.0
5073 name: ecrauthorizationtokens.generators.external-secrets.io
5074spec:
5075 group: generators.external-secrets.io
5076 names:
5077 categories:
5078 - ecrauthorizationtoken
5079 kind: ECRAuthorizationToken
5080 listKind: ECRAuthorizationTokenList
5081 plural: ecrauthorizationtokens
5082 shortNames:
5083 - ecrauthorizationtoken
5084 singular: ecrauthorizationtoken
5085 scope: Namespaced
5086 versions:
5087 - name: v1alpha1
5088 schema:
5089 openAPIV3Schema:
5090 description: |-
5091 ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
5092 authorization token.
5093 The authorization token is valid for 12 hours.
5094 The authorizationToken returned is a base64 encoded string that can be decoded
5095 and used in a docker login command to authenticate to a registry.
5096 For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
5097 properties:
5098 apiVersion:
5099 description: |-
5100 APIVersion defines the versioned schema of this representation of an object.
5101 Servers should convert recognized schemas to the latest internal value, and
5102 may reject unrecognized values.
5103 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
5104 type: string
5105 kind:
5106 description: |-
5107 Kind is a string value representing the REST resource this object represents.
5108 Servers may infer this from the endpoint the client submits requests to.
5109 Cannot be updated.
5110 In CamelCase.
5111 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
5112 type: string
5113 metadata:
5114 type: object
5115 spec:
5116 properties:
5117 auth:
5118 description: Auth defines how to authenticate with AWS
5119 properties:
5120 jwt:
5121 description: Authenticate against AWS using service account tokens.
5122 properties:
5123 serviceAccountRef:
5124 description: A reference to a ServiceAccount resource.
5125 properties:
5126 audiences:
5127 description: |-
5128 Audience specifies the `aud` claim for the service account token
5129 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
5130 then this audiences will be appended to the list
5131 items:
5132 type: string
5133 type: array
5134 name:
5135 description: The name of the ServiceAccount resource being referred to.
5136 type: string
5137 namespace:
5138 description: |-
5139 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
5140 to the namespace of the referent.
5141 type: string
5142 required:
5143 - name
5144 type: object
5145 type: object
5146 secretRef:
5147 description: |-
5148 AWSAuthSecretRef holds secret references for AWS credentials
5149 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
5150 properties:
5151 accessKeyIDSecretRef:
5152 description: The AccessKeyID is used for authentication
5153 properties:
5154 key:
5155 description: |-
5156 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
5157 defaulted, in others it may be required.
5158 type: string
5159 name:
5160 description: The name of the Secret resource being referred to.
5161 type: string
5162 namespace:
5163 description: |-
5164 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
5165 to the namespace of the referent.
5166 type: string
5167 type: object
5168 secretAccessKeySecretRef:
5169 description: The SecretAccessKey is used for authentication
5170 properties:
5171 key:
5172 description: |-
5173 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
5174 defaulted, in others it may be required.
5175 type: string
5176 name:
5177 description: The name of the Secret resource being referred to.
5178 type: string
5179 namespace:
5180 description: |-
5181 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
5182 to the namespace of the referent.
5183 type: string
5184 type: object
5185 sessionTokenSecretRef:
5186 description: |-
5187 The SessionToken used for authentication
5188 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
5189 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
5190 properties:
5191 key:
5192 description: |-
5193 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
5194 defaulted, in others it may be required.
5195 type: string
5196 name:
5197 description: The name of the Secret resource being referred to.
5198 type: string
5199 namespace:
5200 description: |-
5201 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
5202 to the namespace of the referent.
5203 type: string
5204 type: object
5205 type: object
5206 type: object
5207 region:
5208 description: Region specifies the region to operate in.
5209 type: string
5210 role:
5211 description: |-
5212 You can assume a role before making calls to the
5213 desired AWS service.
5214 type: string
5215 required:
5216 - region
5217 type: object
5218 type: object
5219 served: true
5220 storage: true
5221 subresources:
5222 status: {}
5223 conversion:
5224 strategy: Webhook
5225 webhook:
5226 conversionReviewVersions:
5227 - v1
5228 clientConfig:
5229 service:
5230 name: external-secrets-webhook
5231 namespace: "default"
5232 path: /convert
5233---
5234# Source: external-secrets/templates/crds/externalsecret.yaml
5235apiVersion: apiextensions.k8s.io/v1
5236kind: CustomResourceDefinition
5237metadata:
5238 annotations:
5239 controller-gen.kubebuilder.io/version: v0.14.0
5240 name: externalsecrets.external-secrets.io
5241spec:
5242 group: external-secrets.io
5243 names:
5244 categories:
5245 - externalsecrets
5246 kind: ExternalSecret
5247 listKind: ExternalSecretList
5248 plural: externalsecrets
5249 shortNames:
5250 - es
5251 singular: externalsecret
5252 scope: Namespaced
5253 versions:
5254 - additionalPrinterColumns:
5255 - jsonPath: .spec.secretStoreRef.name
5256 name: Store
5257 type: string
5258 - jsonPath: .spec.refreshInterval
5259 name: Refresh Interval
5260 type: string
5261 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
5262 name: Status
5263 type: string
5264 deprecated: true
5265 name: v1alpha1
5266 schema:
5267 openAPIV3Schema:
5268 description: ExternalSecret is the Schema for the external-secrets API.
5269 properties:
5270 apiVersion:
5271 description: |-
5272 APIVersion defines the versioned schema of this representation of an object.
5273 Servers should convert recognized schemas to the latest internal value, and
5274 may reject unrecognized values.
5275 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
5276 type: string
5277 kind:
5278 description: |-
5279 Kind is a string value representing the REST resource this object represents.
5280 Servers may infer this from the endpoint the client submits requests to.
5281 Cannot be updated.
5282 In CamelCase.
5283 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
5284 type: string
5285 metadata:
5286 type: object
5287 spec:
5288 description: ExternalSecretSpec defines the desired state of ExternalSecret.
5289 properties:
5290 data:
5291 description: Data defines the connection between the Kubernetes Secret keys and the Provider data
5292 items:
5293 description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
5294 properties:
5295 remoteRef:
5296 description: ExternalSecretDataRemoteRef defines Provider data location.
5297 properties:
5298 conversionStrategy:
5299 default: Default
5300 description: Used to define a conversion Strategy
5301 enum:
5302 - Default
5303 - Unicode
5304 type: string
5305 key:
5306 description: Key is the key used in the Provider, mandatory
5307 type: string
5308 property:
5309 description: Used to select a specific property of the Provider value (if a map), if supported
5310 type: string
5311 version:
5312 description: Used to select a specific version of the Provider value, if supported
5313 type: string
5314 required:
5315 - key
5316 type: object
5317 secretKey:
5318 type: string
5319 required:
5320 - remoteRef
5321 - secretKey
5322 type: object
5323 type: array
5324 dataFrom:
5325 description: |-
5326 DataFrom is used to fetch all properties from a specific Provider data
5327 If multiple entries are specified, the Secret keys are merged in the specified order
5328 items:
5329 description: ExternalSecretDataRemoteRef defines Provider data location.
5330 properties:
5331 conversionStrategy:
5332 default: Default
5333 description: Used to define a conversion Strategy
5334 enum:
5335 - Default
5336 - Unicode
5337 type: string
5338 key:
5339 description: Key is the key used in the Provider, mandatory
5340 type: string
5341 property:
5342 description: Used to select a specific property of the Provider value (if a map), if supported
5343 type: string
5344 version:
5345 description: Used to select a specific version of the Provider value, if supported
5346 type: string
5347 required:
5348 - key
5349 type: object
5350 type: array
5351 refreshInterval:
5352 default: 1h
5353 description: |-
5354 RefreshInterval is the amount of time before the values are read again from the SecretStore provider
5355 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
5356 May be set to zero to fetch and create it once. Defaults to 1h.
5357 type: string
5358 secretStoreRef:
5359 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
5360 properties:
5361 kind:
5362 description: |-
5363 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
5364 Defaults to `SecretStore`
5365 type: string
5366 name:
5367 description: Name of the SecretStore resource
5368 type: string
5369 required:
5370 - name
5371 type: object
5372 target:
5373 description: |-
5374 ExternalSecretTarget defines the Kubernetes Secret to be created
5375 There can be only one target per ExternalSecret.
5376 properties:
5377 creationPolicy:
5378 default: Owner
5379 description: |-
5380 CreationPolicy defines rules on how to create the resulting Secret
5381 Defaults to 'Owner'
5382 enum:
5383 - Owner
5384 - Merge
5385 - None
5386 type: string
5387 immutable:
5388 description: Immutable defines if the final secret will be immutable
5389 type: boolean
5390 name:
5391 description: |-
5392 Name defines the name of the Secret resource to be managed
5393 This field is immutable
5394 Defaults to the .metadata.name of the ExternalSecret resource
5395 type: string
5396 template:
5397 description: Template defines a blueprint for the created Secret resource.
5398 properties:
5399 data:
5400 additionalProperties:
5401 type: string
5402 type: object
5403 engineVersion:
5404 default: v1
5405 description: |-
5406 EngineVersion specifies the template engine version
5407 that should be used to compile/execute the
5408 template specified in .data and .templateFrom[].
5409 enum:
5410 - v1
5411 - v2
5412 type: string
5413 metadata:
5414 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
5415 properties:
5416 annotations:
5417 additionalProperties:
5418 type: string
5419 type: object
5420 labels:
5421 additionalProperties:
5422 type: string
5423 type: object
5424 type: object
5425 templateFrom:
5426 items:
5427 maxProperties: 1
5428 minProperties: 1
5429 properties:
5430 configMap:
5431 properties:
5432 items:
5433 items:
5434 properties:
5435 key:
5436 type: string
5437 required:
5438 - key
5439 type: object
5440 type: array
5441 name:
5442 type: string
5443 required:
5444 - items
5445 - name
5446 type: object
5447 secret:
5448 properties:
5449 items:
5450 items:
5451 properties:
5452 key:
5453 type: string
5454 required:
5455 - key
5456 type: object
5457 type: array
5458 name:
5459 type: string
5460 required:
5461 - items
5462 - name
5463 type: object
5464 type: object
5465 type: array
5466 type:
5467 type: string
5468 type: object
5469 type: object
5470 required:
5471 - secretStoreRef
5472 - target
5473 type: object
5474 status:
5475 properties:
5476 binding:
5477 description: Binding represents a servicebinding.io Provisioned Service reference to the secret
5478 properties:
5479 name:
5480 description: |-
5481 Name of the referent.
5482 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5483 TODO: Add other useful fields. apiVersion, kind, uid?
5484 type: string
5485 type: object
5486 x-kubernetes-map-type: atomic
5487 conditions:
5488 items:
5489 properties:
5490 lastTransitionTime:
5491 format: date-time
5492 type: string
5493 message:
5494 type: string
5495 reason:
5496 type: string
5497 status:
5498 type: string
5499 type:
5500 type: string
5501 required:
5502 - status
5503 - type
5504 type: object
5505 type: array
5506 refreshTime:
5507 description: |-
5508 refreshTime is the time and date the external secret was fetched and
5509 the target secret updated
5510 format: date-time
5511 nullable: true
5512 type: string
5513 syncedResourceVersion:
5514 description: SyncedResourceVersion keeps track of the last synced version
5515 type: string
5516 type: object
5517 type: object
5518 served: true
5519 storage: false
5520 subresources:
5521 status: {}
5522 - additionalPrinterColumns:
5523 - jsonPath: .spec.secretStoreRef.name
5524 name: Store
5525 type: string
5526 - jsonPath: .spec.refreshInterval
5527 name: Refresh Interval
5528 type: string
5529 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
5530 name: Status
5531 type: string
5532 - jsonPath: .status.conditions[?(@.type=="Ready")].status
5533 name: Ready
5534 type: string
5535 name: v1beta1
5536 schema:
5537 openAPIV3Schema:
5538 description: ExternalSecret is the Schema for the external-secrets API.
5539 properties:
5540 apiVersion:
5541 description: |-
5542 APIVersion defines the versioned schema of this representation of an object.
5543 Servers should convert recognized schemas to the latest internal value, and
5544 may reject unrecognized values.
5545 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
5546 type: string
5547 kind:
5548 description: |-
5549 Kind is a string value representing the REST resource this object represents.
5550 Servers may infer this from the endpoint the client submits requests to.
5551 Cannot be updated.
5552 In CamelCase.
5553 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
5554 type: string
5555 metadata:
5556 type: object
5557 spec:
5558 description: ExternalSecretSpec defines the desired state of ExternalSecret.
5559 properties:
5560 data:
5561 description: Data defines the connection between the Kubernetes Secret keys and the Provider data
5562 items:
5563 description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
5564 properties:
5565 remoteRef:
5566 description: |-
5567 RemoteRef points to the remote secret and defines
5568 which secret (version/property/..) to fetch.
5569 properties:
5570 conversionStrategy:
5571 default: Default
5572 description: Used to define a conversion Strategy
5573 enum:
5574 - Default
5575 - Unicode
5576 type: string
5577 decodingStrategy:
5578 default: None
5579 description: Used to define a decoding Strategy
5580 enum:
5581 - Auto
5582 - Base64
5583 - Base64URL
5584 - None
5585 type: string
5586 key:
5587 description: Key is the key used in the Provider, mandatory
5588 type: string
5589 metadataPolicy:
5590 default: None
5591 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
5592 enum:
5593 - None
5594 - Fetch
5595 type: string
5596 property:
5597 description: Used to select a specific property of the Provider value (if a map), if supported
5598 type: string
5599 version:
5600 description: Used to select a specific version of the Provider value, if supported
5601 type: string
5602 required:
5603 - key
5604 type: object
5605 secretKey:
5606 description: |-
5607 SecretKey defines the key in which the controller stores
5608 the value. This is the key in the Kind=Secret
5609 type: string
5610 sourceRef:
5611 description: |-
5612 SourceRef allows you to override the source
5613 from which the value will pulled from.
5614 maxProperties: 1
5615 properties:
5616 generatorRef:
5617 description: |-
5618 GeneratorRef points to a generator custom resource.
5619
5620
5621 Deprecated: The generatorRef is not implemented in .data[].
5622 this will be removed with v1.
5623 properties:
5624 apiVersion:
5625 default: generators.external-secrets.io/v1alpha1
5626 description: Specify the apiVersion of the generator resource
5627 type: string
5628 kind:
5629 description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
5630 type: string
5631 name:
5632 description: Specify the name of the generator resource
5633 type: string
5634 required:
5635 - kind
5636 - name
5637 type: object
5638 storeRef:
5639 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
5640 properties:
5641 kind:
5642 description: |-
5643 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
5644 Defaults to `SecretStore`
5645 type: string
5646 name:
5647 description: Name of the SecretStore resource
5648 type: string
5649 required:
5650 - name
5651 type: object
5652 type: object
5653 required:
5654 - remoteRef
5655 - secretKey
5656 type: object
5657 type: array
5658 dataFrom:
5659 description: |-
5660 DataFrom is used to fetch all properties from a specific Provider data
5661 If multiple entries are specified, the Secret keys are merged in the specified order
5662 items:
5663 properties:
5664 extract:
5665 description: |-
5666 Used to extract multiple key/value pairs from one secret
5667 Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
5668 properties:
5669 conversionStrategy:
5670 default: Default
5671 description: Used to define a conversion Strategy
5672 enum:
5673 - Default
5674 - Unicode
5675 type: string
5676 decodingStrategy:
5677 default: None
5678 description: Used to define a decoding Strategy
5679 enum:
5680 - Auto
5681 - Base64
5682 - Base64URL
5683 - None
5684 type: string
5685 key:
5686 description: Key is the key used in the Provider, mandatory
5687 type: string
5688 metadataPolicy:
5689 default: None
5690 description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
5691 enum:
5692 - None
5693 - Fetch
5694 type: string
5695 property:
5696 description: Used to select a specific property of the Provider value (if a map), if supported
5697 type: string
5698 version:
5699 description: Used to select a specific version of the Provider value, if supported
5700 type: string
5701 required:
5702 - key
5703 type: object
5704 find:
5705 description: |-
5706 Used to find secrets based on tags or regular expressions
5707 Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
5708 properties:
5709 conversionStrategy:
5710 default: Default
5711 description: Used to define a conversion Strategy
5712 enum:
5713 - Default
5714 - Unicode
5715 type: string
5716 decodingStrategy:
5717 default: None
5718 description: Used to define a decoding Strategy
5719 enum:
5720 - Auto
5721 - Base64
5722 - Base64URL
5723 - None
5724 type: string
5725 name:
5726 description: Finds secrets based on the name.
5727 properties:
5728 regexp:
5729 description: Finds secrets base
5730 type: string
5731 type: object
5732 path:
5733 description: A root path to start the find operations.
5734 type: string
5735 tags:
5736 additionalProperties:
5737 type: string
5738 description: Find secrets based on tags.
5739 type: object
5740 type: object
5741 rewrite:
5742 description: |-
5743 Used to rewrite secret Keys after getting them from the secret Provider
5744 Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
5745 items:
5746 properties:
5747 regexp:
5748 description: |-
5749 Used to rewrite with regular expressions.
5750 The resulting key will be the output of a regexp.ReplaceAll operation.
5751 properties:
5752 source:
5753 description: Used to define the regular expression of a re.Compiler.
5754 type: string
5755 target:
5756 description: Used to define the target pattern of a ReplaceAll operation.
5757 type: string
5758 required:
5759 - source
5760 - target
5761 type: object
5762 transform:
5763 description: |-
5764 Used to apply string transformation on the secrets.
5765 The resulting key will be the output of the template applied by the operation.
5766 properties:
5767 template:
5768 description: |-
5769 Used to define the template to apply on the secret name.
5770 `.value ` will specify the secret name in the template.
5771 type: string
5772 required:
5773 - template
5774 type: object
5775 type: object
5776 type: array
5777 sourceRef:
5778 description: |-
5779 SourceRef points to a store or generator
5780 which contains secret values ready to use.
5781 Use this in combination with Extract or Find pull values out of
5782 a specific SecretStore.
5783 When sourceRef points to a generator Extract or Find is not supported.
5784 The generator returns a static map of values
5785 maxProperties: 1
5786 properties:
5787 generatorRef:
5788 description: GeneratorRef points to a generator custom resource.
5789 properties:
5790 apiVersion:
5791 default: generators.external-secrets.io/v1alpha1
5792 description: Specify the apiVersion of the generator resource
5793 type: string
5794 kind:
5795 description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
5796 type: string
5797 name:
5798 description: Specify the name of the generator resource
5799 type: string
5800 required:
5801 - kind
5802 - name
5803 type: object
5804 storeRef:
5805 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
5806 properties:
5807 kind:
5808 description: |-
5809 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
5810 Defaults to `SecretStore`
5811 type: string
5812 name:
5813 description: Name of the SecretStore resource
5814 type: string
5815 required:
5816 - name
5817 type: object
5818 type: object
5819 type: object
5820 type: array
5821 refreshInterval:
5822 default: 1h
5823 description: |-
5824 RefreshInterval is the amount of time before the values are read again from the SecretStore provider
5825 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
5826 May be set to zero to fetch and create it once. Defaults to 1h.
5827 type: string
5828 secretStoreRef:
5829 description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
5830 properties:
5831 kind:
5832 description: |-
5833 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
5834 Defaults to `SecretStore`
5835 type: string
5836 name:
5837 description: Name of the SecretStore resource
5838 type: string
5839 required:
5840 - name
5841 type: object
5842 target:
5843 default:
5844 creationPolicy: Owner
5845 deletionPolicy: Retain
5846 description: |-
5847 ExternalSecretTarget defines the Kubernetes Secret to be created
5848 There can be only one target per ExternalSecret.
5849 properties:
5850 creationPolicy:
5851 default: Owner
5852 description: |-
5853 CreationPolicy defines rules on how to create the resulting Secret
5854 Defaults to 'Owner'
5855 enum:
5856 - Owner
5857 - Orphan
5858 - Merge
5859 - None
5860 type: string
5861 deletionPolicy:
5862 default: Retain
5863 description: |-
5864 DeletionPolicy defines rules on how to delete the resulting Secret
5865 Defaults to 'Retain'
5866 enum:
5867 - Delete
5868 - Merge
5869 - Retain
5870 type: string
5871 immutable:
5872 description: Immutable defines if the final secret will be immutable
5873 type: boolean
5874 name:
5875 description: |-
5876 Name defines the name of the Secret resource to be managed
5877 This field is immutable
5878 Defaults to the .metadata.name of the ExternalSecret resource
5879 type: string
5880 template:
5881 description: Template defines a blueprint for the created Secret resource.
5882 properties:
5883 data:
5884 additionalProperties:
5885 type: string
5886 type: object
5887 engineVersion:
5888 default: v2
5889 description: |-
5890 EngineVersion specifies the template engine version
5891 that should be used to compile/execute the
5892 template specified in .data and .templateFrom[].
5893 enum:
5894 - v1
5895 - v2
5896 type: string
5897 mergePolicy:
5898 default: Replace
5899 enum:
5900 - Replace
5901 - Merge
5902 type: string
5903 metadata:
5904 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
5905 properties:
5906 annotations:
5907 additionalProperties:
5908 type: string
5909 type: object
5910 labels:
5911 additionalProperties:
5912 type: string
5913 type: object
5914 type: object
5915 templateFrom:
5916 items:
5917 properties:
5918 configMap:
5919 properties:
5920 items:
5921 items:
5922 properties:
5923 key:
5924 type: string
5925 templateAs:
5926 default: Values
5927 enum:
5928 - Values
5929 - KeysAndValues
5930 type: string
5931 required:
5932 - key
5933 type: object
5934 type: array
5935 name:
5936 type: string
5937 required:
5938 - items
5939 - name
5940 type: object
5941 literal:
5942 type: string
5943 secret:
5944 properties:
5945 items:
5946 items:
5947 properties:
5948 key:
5949 type: string
5950 templateAs:
5951 default: Values
5952 enum:
5953 - Values
5954 - KeysAndValues
5955 type: string
5956 required:
5957 - key
5958 type: object
5959 type: array
5960 name:
5961 type: string
5962 required:
5963 - items
5964 - name
5965 type: object
5966 target:
5967 default: Data
5968 enum:
5969 - Data
5970 - Annotations
5971 - Labels
5972 type: string
5973 type: object
5974 type: array
5975 type:
5976 type: string
5977 type: object
5978 type: object
5979 type: object
5980 status:
5981 properties:
5982 binding:
5983 description: Binding represents a servicebinding.io Provisioned Service reference to the secret
5984 properties:
5985 name:
5986 description: |-
5987 Name of the referent.
5988 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5989 TODO: Add other useful fields. apiVersion, kind, uid?
5990 type: string
5991 type: object
5992 x-kubernetes-map-type: atomic
5993 conditions:
5994 items:
5995 properties:
5996 lastTransitionTime:
5997 format: date-time
5998 type: string
5999 message:
6000 type: string
6001 reason:
6002 type: string
6003 status:
6004 type: string
6005 type:
6006 type: string
6007 required:
6008 - status
6009 - type
6010 type: object
6011 type: array
6012 refreshTime:
6013 description: |-
6014 refreshTime is the time and date the external secret was fetched and
6015 the target secret updated
6016 format: date-time
6017 nullable: true
6018 type: string
6019 syncedResourceVersion:
6020 description: SyncedResourceVersion keeps track of the last synced version
6021 type: string
6022 type: object
6023 type: object
6024 served: true
6025 storage: true
6026 subresources:
6027 status: {}
6028 conversion:
6029 strategy: Webhook
6030 webhook:
6031 conversionReviewVersions:
6032 - v1
6033 clientConfig:
6034 service:
6035 name: external-secrets-webhook
6036 namespace: "default"
6037 path: /convert
6038---
6039# Source: external-secrets/templates/crds/fake.yaml
6040apiVersion: apiextensions.k8s.io/v1
6041kind: CustomResourceDefinition
6042metadata:
6043 annotations:
6044 controller-gen.kubebuilder.io/version: v0.14.0
6045 name: fakes.generators.external-secrets.io
6046spec:
6047 group: generators.external-secrets.io
6048 names:
6049 categories:
6050 - fake
6051 kind: Fake
6052 listKind: FakeList
6053 plural: fakes
6054 shortNames:
6055 - fake
6056 singular: fake
6057 scope: Namespaced
6058 versions:
6059 - name: v1alpha1
6060 schema:
6061 openAPIV3Schema:
6062 description: |-
6063 Fake generator is used for testing. It lets you define
6064 a static set of credentials that is always returned.
6065 properties:
6066 apiVersion:
6067 description: |-
6068 APIVersion defines the versioned schema of this representation of an object.
6069 Servers should convert recognized schemas to the latest internal value, and
6070 may reject unrecognized values.
6071 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
6072 type: string
6073 kind:
6074 description: |-
6075 Kind is a string value representing the REST resource this object represents.
6076 Servers may infer this from the endpoint the client submits requests to.
6077 Cannot be updated.
6078 In CamelCase.
6079 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
6080 type: string
6081 metadata:
6082 type: object
6083 spec:
6084 description: FakeSpec contains the static data.
6085 properties:
6086 controller:
6087 description: |-
6088 Used to select the correct ESO controller (think: ingress.ingressClassName)
6089 The ESO controller is instantiated with a specific controller name and filters VDS based on this property
6090 type: string
6091 data:
6092 additionalProperties:
6093 type: string
6094 description: |-
6095 Data defines the static data returned
6096 by this generator.
6097 type: object
6098 type: object
6099 type: object
6100 served: true
6101 storage: true
6102 subresources:
6103 status: {}
6104 conversion:
6105 strategy: Webhook
6106 webhook:
6107 conversionReviewVersions:
6108 - v1
6109 clientConfig:
6110 service:
6111 name: external-secrets-webhook
6112 namespace: "default"
6113 path: /convert
6114---
6115# Source: external-secrets/templates/crds/gcraccesstoken.yaml
6116apiVersion: apiextensions.k8s.io/v1
6117kind: CustomResourceDefinition
6118metadata:
6119 annotations:
6120 controller-gen.kubebuilder.io/version: v0.14.0
6121 name: gcraccesstokens.generators.external-secrets.io
6122spec:
6123 group: generators.external-secrets.io
6124 names:
6125 categories:
6126 - gcraccesstoken
6127 kind: GCRAccessToken
6128 listKind: GCRAccessTokenList
6129 plural: gcraccesstokens
6130 shortNames:
6131 - gcraccesstoken
6132 singular: gcraccesstoken
6133 scope: Namespaced
6134 versions:
6135 - name: v1alpha1
6136 schema:
6137 openAPIV3Schema:
6138 description: |-
6139 GCRAccessToken generates an GCP access token
6140 that can be used to authenticate with GCR.
6141 properties:
6142 apiVersion:
6143 description: |-
6144 APIVersion defines the versioned schema of this representation of an object.
6145 Servers should convert recognized schemas to the latest internal value, and
6146 may reject unrecognized values.
6147 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
6148 type: string
6149 kind:
6150 description: |-
6151 Kind is a string value representing the REST resource this object represents.
6152 Servers may infer this from the endpoint the client submits requests to.
6153 Cannot be updated.
6154 In CamelCase.
6155 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
6156 type: string
6157 metadata:
6158 type: object
6159 spec:
6160 properties:
6161 auth:
6162 description: Auth defines the means for authenticating with GCP
6163 properties:
6164 secretRef:
6165 properties:
6166 secretAccessKeySecretRef:
6167 description: The SecretAccessKey is used for authentication
6168 properties:
6169 key:
6170 description: |-
6171 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
6172 defaulted, in others it may be required.
6173 type: string
6174 name:
6175 description: The name of the Secret resource being referred to.
6176 type: string
6177 namespace:
6178 description: |-
6179 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6180 to the namespace of the referent.
6181 type: string
6182 type: object
6183 type: object
6184 workloadIdentity:
6185 properties:
6186 clusterLocation:
6187 type: string
6188 clusterName:
6189 type: string
6190 clusterProjectID:
6191 type: string
6192 serviceAccountRef:
6193 description: A reference to a ServiceAccount resource.
6194 properties:
6195 audiences:
6196 description: |-
6197 Audience specifies the `aud` claim for the service account token
6198 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
6199 then this audiences will be appended to the list
6200 items:
6201 type: string
6202 type: array
6203 name:
6204 description: The name of the ServiceAccount resource being referred to.
6205 type: string
6206 namespace:
6207 description: |-
6208 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6209 to the namespace of the referent.
6210 type: string
6211 required:
6212 - name
6213 type: object
6214 required:
6215 - clusterLocation
6216 - clusterName
6217 - serviceAccountRef
6218 type: object
6219 type: object
6220 projectID:
6221 description: ProjectID defines which project to use to authenticate with
6222 type: string
6223 required:
6224 - auth
6225 - projectID
6226 type: object
6227 type: object
6228 served: true
6229 storage: true
6230 subresources:
6231 status: {}
6232 conversion:
6233 strategy: Webhook
6234 webhook:
6235 conversionReviewVersions:
6236 - v1
6237 clientConfig:
6238 service:
6239 name: external-secrets-webhook
6240 namespace: "default"
6241 path: /convert
6242---
6243# Source: external-secrets/templates/crds/githubaccesstoken.yaml
6244apiVersion: apiextensions.k8s.io/v1
6245kind: CustomResourceDefinition
6246metadata:
6247 annotations:
6248 controller-gen.kubebuilder.io/version: v0.14.0
6249 name: githubaccesstokens.generators.external-secrets.io
6250spec:
6251 group: generators.external-secrets.io
6252 names:
6253 categories:
6254 - githubaccesstoken
6255 kind: GithubAccessToken
6256 listKind: GithubAccessTokenList
6257 plural: githubaccesstokens
6258 shortNames:
6259 - githubaccesstoken
6260 singular: githubaccesstoken
6261 scope: Namespaced
6262 versions:
6263 - name: v1alpha1
6264 schema:
6265 openAPIV3Schema:
6266 description: GithubAccessToken generates ghs_ accessToken
6267 properties:
6268 apiVersion:
6269 description: |-
6270 APIVersion defines the versioned schema of this representation of an object.
6271 Servers should convert recognized schemas to the latest internal value, and
6272 may reject unrecognized values.
6273 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
6274 type: string
6275 kind:
6276 description: |-
6277 Kind is a string value representing the REST resource this object represents.
6278 Servers may infer this from the endpoint the client submits requests to.
6279 Cannot be updated.
6280 In CamelCase.
6281 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
6282 type: string
6283 metadata:
6284 type: object
6285 spec:
6286 properties:
6287 appID:
6288 type: string
6289 auth:
6290 description: Auth configures how ESO authenticates with a Github instance.
6291 properties:
6292 privatKey:
6293 properties:
6294 secretRef:
6295 description: |-
6296 A reference to a specific 'key' within a Secret resource,
6297 In some instances, `key` is a required field.
6298 properties:
6299 key:
6300 description: |-
6301 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
6302 defaulted, in others it may be required.
6303 type: string
6304 name:
6305 description: The name of the Secret resource being referred to.
6306 type: string
6307 namespace:
6308 description: |-
6309 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6310 to the namespace of the referent.
6311 type: string
6312 type: object
6313 required:
6314 - secretRef
6315 type: object
6316 required:
6317 - privatKey
6318 type: object
6319 installID:
6320 type: string
6321 url:
6322 description: URL configures the Github instance URL. Defaults to https://github.com/.
6323 type: string
6324 required:
6325 - appID
6326 - auth
6327 - installID
6328 type: object
6329 type: object
6330 served: true
6331 storage: true
6332 subresources:
6333 status: {}
6334 conversion:
6335 strategy: Webhook
6336 webhook:
6337 conversionReviewVersions:
6338 - v1
6339 clientConfig:
6340 service:
6341 name: external-secrets-webhook
6342 namespace: "default"
6343 path: /convert
6344---
6345# Source: external-secrets/templates/crds/password.yaml
6346apiVersion: apiextensions.k8s.io/v1
6347kind: CustomResourceDefinition
6348metadata:
6349 annotations:
6350 controller-gen.kubebuilder.io/version: v0.14.0
6351 name: passwords.generators.external-secrets.io
6352spec:
6353 group: generators.external-secrets.io
6354 names:
6355 categories:
6356 - password
6357 kind: Password
6358 listKind: PasswordList
6359 plural: passwords
6360 shortNames:
6361 - password
6362 singular: password
6363 scope: Namespaced
6364 versions:
6365 - name: v1alpha1
6366 schema:
6367 openAPIV3Schema:
6368 description: |-
6369 Password generates a random password based on the
6370 configuration parameters in spec.
6371 You can specify the length, characterset and other attributes.
6372 properties:
6373 apiVersion:
6374 description: |-
6375 APIVersion defines the versioned schema of this representation of an object.
6376 Servers should convert recognized schemas to the latest internal value, and
6377 may reject unrecognized values.
6378 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
6379 type: string
6380 kind:
6381 description: |-
6382 Kind is a string value representing the REST resource this object represents.
6383 Servers may infer this from the endpoint the client submits requests to.
6384 Cannot be updated.
6385 In CamelCase.
6386 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
6387 type: string
6388 metadata:
6389 type: object
6390 spec:
6391 description: PasswordSpec controls the behavior of the password generator.
6392 properties:
6393 allowRepeat:
6394 default: false
6395 description: set AllowRepeat to true to allow repeating characters.
6396 type: boolean
6397 digits:
6398 description: |-
6399 Digits specifies the number of digits in the generated
6400 password. If omitted it defaults to 25% of the length of the password
6401 type: integer
6402 length:
6403 default: 24
6404 description: |-
6405 Length of the password to be generated.
6406 Defaults to 24
6407 type: integer
6408 noUpper:
6409 default: false
6410 description: Set NoUpper to disable uppercase characters
6411 type: boolean
6412 symbolCharacters:
6413 description: |-
6414 SymbolCharacters specifies the special characters that should be used
6415 in the generated password.
6416 type: string
6417 symbols:
6418 description: |-
6419 Symbols specifies the number of symbol characters in the generated
6420 password. If omitted it defaults to 25% of the length of the password
6421 type: integer
6422 required:
6423 - allowRepeat
6424 - length
6425 - noUpper
6426 type: object
6427 type: object
6428 served: true
6429 storage: true
6430 subresources:
6431 status: {}
6432 conversion:
6433 strategy: Webhook
6434 webhook:
6435 conversionReviewVersions:
6436 - v1
6437 clientConfig:
6438 service:
6439 name: external-secrets-webhook
6440 namespace: "default"
6441 path: /convert
6442---
6443# Source: external-secrets/templates/crds/pushsecret.yaml
6444apiVersion: apiextensions.k8s.io/v1
6445kind: CustomResourceDefinition
6446metadata:
6447 annotations:
6448 controller-gen.kubebuilder.io/version: v0.14.0
6449 name: pushsecrets.external-secrets.io
6450spec:
6451 group: external-secrets.io
6452 names:
6453 categories:
6454 - pushsecrets
6455 kind: PushSecret
6456 listKind: PushSecretList
6457 plural: pushsecrets
6458 singular: pushsecret
6459 scope: Namespaced
6460 versions:
6461 - additionalPrinterColumns:
6462 - jsonPath: .metadata.creationTimestamp
6463 name: AGE
6464 type: date
6465 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
6466 name: Status
6467 type: string
6468 name: v1alpha1
6469 schema:
6470 openAPIV3Schema:
6471 properties:
6472 apiVersion:
6473 description: |-
6474 APIVersion defines the versioned schema of this representation of an object.
6475 Servers should convert recognized schemas to the latest internal value, and
6476 may reject unrecognized values.
6477 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
6478 type: string
6479 kind:
6480 description: |-
6481 Kind is a string value representing the REST resource this object represents.
6482 Servers may infer this from the endpoint the client submits requests to.
6483 Cannot be updated.
6484 In CamelCase.
6485 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
6486 type: string
6487 metadata:
6488 type: object
6489 spec:
6490 description: PushSecretSpec configures the behavior of the PushSecret.
6491 properties:
6492 data:
6493 description: Secret Data that should be pushed to providers
6494 items:
6495 properties:
6496 conversionStrategy:
6497 default: None
6498 description: Used to define a conversion Strategy for the secret keys
6499 enum:
6500 - None
6501 - ReverseUnicode
6502 type: string
6503 match:
6504 description: Match a given Secret Key to be pushed to the provider.
6505 properties:
6506 remoteRef:
6507 description: Remote Refs to push to providers.
6508 properties:
6509 property:
6510 description: Name of the property in the resulting secret
6511 type: string
6512 remoteKey:
6513 description: Name of the resulting provider secret.
6514 type: string
6515 required:
6516 - remoteKey
6517 type: object
6518 secretKey:
6519 description: Secret Key to be pushed
6520 type: string
6521 required:
6522 - remoteRef
6523 type: object
6524 metadata:
6525 description: |-
6526 Metadata is metadata attached to the secret.
6527 The structure of metadata is provider specific, please look it up in the provider documentation.
6528 x-kubernetes-preserve-unknown-fields: true
6529 required:
6530 - match
6531 type: object
6532 type: array
6533 deletionPolicy:
6534 default: None
6535 description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
6536 enum:
6537 - Delete
6538 - None
6539 type: string
6540 refreshInterval:
6541 description: The Interval to which External Secrets will try to push a secret definition
6542 type: string
6543 secretStoreRefs:
6544 items:
6545 properties:
6546 kind:
6547 default: SecretStore
6548 description: |-
6549 Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
6550 Defaults to `SecretStore`
6551 type: string
6552 labelSelector:
6553 description: Optionally, sync to secret stores with label selector
6554 properties:
6555 matchExpressions:
6556 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6557 items:
6558 description: |-
6559 A label selector requirement is a selector that contains values, a key, and an operator that
6560 relates the key and values.
6561 properties:
6562 key:
6563 description: key is the label key that the selector applies to.
6564 type: string
6565 operator:
6566 description: |-
6567 operator represents a key's relationship to a set of values.
6568 Valid operators are In, NotIn, Exists and DoesNotExist.
6569 type: string
6570 values:
6571 description: |-
6572 values is an array of string values. If the operator is In or NotIn,
6573 the values array must be non-empty. If the operator is Exists or DoesNotExist,
6574 the values array must be empty. This array is replaced during a strategic
6575 merge patch.
6576 items:
6577 type: string
6578 type: array
6579 required:
6580 - key
6581 - operator
6582 type: object
6583 type: array
6584 matchLabels:
6585 additionalProperties:
6586 type: string
6587 description: |-
6588 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6589 map is equivalent to an element of matchExpressions, whose key field is "key", the
6590 operator is "In", and the values array contains only "value". The requirements are ANDed.
6591 type: object
6592 type: object
6593 x-kubernetes-map-type: atomic
6594 name:
6595 description: Optionally, sync to the SecretStore of the given name
6596 type: string
6597 type: object
6598 type: array
6599 selector:
6600 description: The Secret Selector (k8s source) for the Push Secret
6601 properties:
6602 secret:
6603 description: Select a Secret to Push.
6604 properties:
6605 name:
6606 description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
6607 type: string
6608 required:
6609 - name
6610 type: object
6611 required:
6612 - secret
6613 type: object
6614 template:
6615 description: Template defines a blueprint for the created Secret resource.
6616 properties:
6617 data:
6618 additionalProperties:
6619 type: string
6620 type: object
6621 engineVersion:
6622 default: v2
6623 description: |-
6624 EngineVersion specifies the template engine version
6625 that should be used to compile/execute the
6626 template specified in .data and .templateFrom[].
6627 enum:
6628 - v1
6629 - v2
6630 type: string
6631 mergePolicy:
6632 default: Replace
6633 enum:
6634 - Replace
6635 - Merge
6636 type: string
6637 metadata:
6638 description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
6639 properties:
6640 annotations:
6641 additionalProperties:
6642 type: string
6643 type: object
6644 labels:
6645 additionalProperties:
6646 type: string
6647 type: object
6648 type: object
6649 templateFrom:
6650 items:
6651 properties:
6652 configMap:
6653 properties:
6654 items:
6655 items:
6656 properties:
6657 key:
6658 type: string
6659 templateAs:
6660 default: Values
6661 enum:
6662 - Values
6663 - KeysAndValues
6664 type: string
6665 required:
6666 - key
6667 type: object
6668 type: array
6669 name:
6670 type: string
6671 required:
6672 - items
6673 - name
6674 type: object
6675 literal:
6676 type: string
6677 secret:
6678 properties:
6679 items:
6680 items:
6681 properties:
6682 key:
6683 type: string
6684 templateAs:
6685 default: Values
6686 enum:
6687 - Values
6688 - KeysAndValues
6689 type: string
6690 required:
6691 - key
6692 type: object
6693 type: array
6694 name:
6695 type: string
6696 required:
6697 - items
6698 - name
6699 type: object
6700 target:
6701 default: Data
6702 enum:
6703 - Data
6704 - Annotations
6705 - Labels
6706 type: string
6707 type: object
6708 type: array
6709 type:
6710 type: string
6711 type: object
6712 updatePolicy:
6713 default: Replace
6714 description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
6715 enum:
6716 - Replace
6717 - IfNotExists
6718 type: string
6719 required:
6720 - secretStoreRefs
6721 - selector
6722 type: object
6723 status:
6724 description: PushSecretStatus indicates the history of the status of PushSecret.
6725 properties:
6726 conditions:
6727 items:
6728 description: PushSecretStatusCondition indicates the status of the PushSecret.
6729 properties:
6730 lastTransitionTime:
6731 format: date-time
6732 type: string
6733 message:
6734 type: string
6735 reason:
6736 type: string
6737 status:
6738 type: string
6739 type:
6740 description: PushSecretConditionType indicates the condition of the PushSecret.
6741 type: string
6742 required:
6743 - status
6744 - type
6745 type: object
6746 type: array
6747 refreshTime:
6748 description: |-
6749 refreshTime is the time and date the external secret was fetched and
6750 the target secret updated
6751 format: date-time
6752 nullable: true
6753 type: string
6754 syncedPushSecrets:
6755 additionalProperties:
6756 additionalProperties:
6757 properties:
6758 conversionStrategy:
6759 default: None
6760 description: Used to define a conversion Strategy for the secret keys
6761 enum:
6762 - None
6763 - ReverseUnicode
6764 type: string
6765 match:
6766 description: Match a given Secret Key to be pushed to the provider.
6767 properties:
6768 remoteRef:
6769 description: Remote Refs to push to providers.
6770 properties:
6771 property:
6772 description: Name of the property in the resulting secret
6773 type: string
6774 remoteKey:
6775 description: Name of the resulting provider secret.
6776 type: string
6777 required:
6778 - remoteKey
6779 type: object
6780 secretKey:
6781 description: Secret Key to be pushed
6782 type: string
6783 required:
6784 - remoteRef
6785 type: object
6786 metadata:
6787 description: |-
6788 Metadata is metadata attached to the secret.
6789 The structure of metadata is provider specific, please look it up in the provider documentation.
6790 x-kubernetes-preserve-unknown-fields: true
6791 required:
6792 - match
6793 type: object
6794 type: object
6795 description: |-
6796 Synced PushSecrets, including secrets that already exist in provider.
6797 Matches secret stores to PushSecretData that was stored to that secret store.
6798 type: object
6799 syncedResourceVersion:
6800 description: SyncedResourceVersion keeps track of the last synced version.
6801 type: string
6802 type: object
6803 type: object
6804 served: true
6805 storage: true
6806 subresources:
6807 status: {}
6808 conversion:
6809 strategy: Webhook
6810 webhook:
6811 conversionReviewVersions:
6812 - v1
6813 clientConfig:
6814 service:
6815 name: external-secrets-webhook
6816 namespace: "default"
6817 path: /convert
6818---
6819# Source: external-secrets/templates/crds/secretstore.yaml
6820apiVersion: apiextensions.k8s.io/v1
6821kind: CustomResourceDefinition
6822metadata:
6823 annotations:
6824 controller-gen.kubebuilder.io/version: v0.14.0
6825 name: secretstores.external-secrets.io
6826spec:
6827 group: external-secrets.io
6828 names:
6829 categories:
6830 - externalsecrets
6831 kind: SecretStore
6832 listKind: SecretStoreList
6833 plural: secretstores
6834 shortNames:
6835 - ss
6836 singular: secretstore
6837 scope: Namespaced
6838 versions:
6839 - additionalPrinterColumns:
6840 - jsonPath: .metadata.creationTimestamp
6841 name: AGE
6842 type: date
6843 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
6844 name: Status
6845 type: string
6846 deprecated: true
6847 name: v1alpha1
6848 schema:
6849 openAPIV3Schema:
6850 description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
6851 properties:
6852 apiVersion:
6853 description: |-
6854 APIVersion defines the versioned schema of this representation of an object.
6855 Servers should convert recognized schemas to the latest internal value, and
6856 may reject unrecognized values.
6857 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
6858 type: string
6859 kind:
6860 description: |-
6861 Kind is a string value representing the REST resource this object represents.
6862 Servers may infer this from the endpoint the client submits requests to.
6863 Cannot be updated.
6864 In CamelCase.
6865 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
6866 type: string
6867 metadata:
6868 type: object
6869 spec:
6870 description: SecretStoreSpec defines the desired state of SecretStore.
6871 properties:
6872 controller:
6873 description: |-
6874 Used to select the correct ESO controller (think: ingress.ingressClassName)
6875 The ESO controller is instantiated with a specific controller name and filters ES based on this property
6876 type: string
6877 provider:
6878 description: Used to configure the provider. Only one provider may be set
6879 maxProperties: 1
6880 minProperties: 1
6881 properties:
6882 akeyless:
6883 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
6884 properties:
6885 akeylessGWApiURL:
6886 description: Akeyless GW API Url from which the secrets to be fetched from.
6887 type: string
6888 authSecretRef:
6889 description: Auth configures how the operator authenticates with Akeyless.
6890 properties:
6891 kubernetesAuth:
6892 description: |-
6893 Kubernetes authenticates with Akeyless by passing the ServiceAccount
6894 token stored in the named Secret resource.
6895 properties:
6896 accessID:
6897 description: the Akeyless Kubernetes auth-method access-id
6898 type: string
6899 k8sConfName:
6900 description: Kubernetes-auth configuration name in Akeyless-Gateway
6901 type: string
6902 secretRef:
6903 description: |-
6904 Optional secret field containing a Kubernetes ServiceAccount JWT used
6905 for authenticating with Akeyless. If a name is specified without a key,
6906 `token` is the default. If one is not specified, the one bound to
6907 the controller will be used.
6908 properties:
6909 key:
6910 description: |-
6911 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
6912 defaulted, in others it may be required.
6913 type: string
6914 name:
6915 description: The name of the Secret resource being referred to.
6916 type: string
6917 namespace:
6918 description: |-
6919 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6920 to the namespace of the referent.
6921 type: string
6922 type: object
6923 serviceAccountRef:
6924 description: |-
6925 Optional service account field containing the name of a kubernetes ServiceAccount.
6926 If the service account is specified, the service account secret token JWT will be used
6927 for authenticating with Akeyless. If the service account selector is not supplied,
6928 the secretRef will be used instead.
6929 properties:
6930 audiences:
6931 description: |-
6932 Audience specifies the `aud` claim for the service account token
6933 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
6934 then this audiences will be appended to the list
6935 items:
6936 type: string
6937 type: array
6938 name:
6939 description: The name of the ServiceAccount resource being referred to.
6940 type: string
6941 namespace:
6942 description: |-
6943 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6944 to the namespace of the referent.
6945 type: string
6946 required:
6947 - name
6948 type: object
6949 required:
6950 - accessID
6951 - k8sConfName
6952 type: object
6953 secretRef:
6954 description: |-
6955 Reference to a Secret that contains the details
6956 to authenticate with Akeyless.
6957 properties:
6958 accessID:
6959 description: The SecretAccessID is used for authentication
6960 properties:
6961 key:
6962 description: |-
6963 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
6964 defaulted, in others it may be required.
6965 type: string
6966 name:
6967 description: The name of the Secret resource being referred to.
6968 type: string
6969 namespace:
6970 description: |-
6971 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6972 to the namespace of the referent.
6973 type: string
6974 type: object
6975 accessType:
6976 description: |-
6977 A reference to a specific 'key' within a Secret resource,
6978 In some instances, `key` is a required field.
6979 properties:
6980 key:
6981 description: |-
6982 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
6983 defaulted, in others it may be required.
6984 type: string
6985 name:
6986 description: The name of the Secret resource being referred to.
6987 type: string
6988 namespace:
6989 description: |-
6990 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
6991 to the namespace of the referent.
6992 type: string
6993 type: object
6994 accessTypeParam:
6995 description: |-
6996 A reference to a specific 'key' within a Secret resource,
6997 In some instances, `key` is a required field.
6998 properties:
6999 key:
7000 description: |-
7001 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7002 defaulted, in others it may be required.
7003 type: string
7004 name:
7005 description: The name of the Secret resource being referred to.
7006 type: string
7007 namespace:
7008 description: |-
7009 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7010 to the namespace of the referent.
7011 type: string
7012 type: object
7013 type: object
7014 type: object
7015 caBundle:
7016 description: |-
7017 PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
7018 if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
7019 are used to validate the TLS connection.
7020 format: byte
7021 type: string
7022 caProvider:
7023 description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
7024 properties:
7025 key:
7026 description: The key the value inside of the provider type to use, only used with "Secret" type
7027 type: string
7028 name:
7029 description: The name of the object located at the provider type.
7030 type: string
7031 namespace:
7032 description: The namespace the Provider type is in.
7033 type: string
7034 type:
7035 description: The type of provider to use such as "Secret", or "ConfigMap".
7036 enum:
7037 - Secret
7038 - ConfigMap
7039 type: string
7040 required:
7041 - name
7042 - type
7043 type: object
7044 required:
7045 - akeylessGWApiURL
7046 - authSecretRef
7047 type: object
7048 alibaba:
7049 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
7050 properties:
7051 auth:
7052 description: AlibabaAuth contains a secretRef for credentials.
7053 properties:
7054 rrsa:
7055 description: Authenticate against Alibaba using RRSA.
7056 properties:
7057 oidcProviderArn:
7058 type: string
7059 oidcTokenFilePath:
7060 type: string
7061 roleArn:
7062 type: string
7063 sessionName:
7064 type: string
7065 required:
7066 - oidcProviderArn
7067 - oidcTokenFilePath
7068 - roleArn
7069 - sessionName
7070 type: object
7071 secretRef:
7072 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
7073 properties:
7074 accessKeyIDSecretRef:
7075 description: The AccessKeyID is used for authentication
7076 properties:
7077 key:
7078 description: |-
7079 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7080 defaulted, in others it may be required.
7081 type: string
7082 name:
7083 description: The name of the Secret resource being referred to.
7084 type: string
7085 namespace:
7086 description: |-
7087 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7088 to the namespace of the referent.
7089 type: string
7090 type: object
7091 accessKeySecretSecretRef:
7092 description: The AccessKeySecret is used for authentication
7093 properties:
7094 key:
7095 description: |-
7096 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7097 defaulted, in others it may be required.
7098 type: string
7099 name:
7100 description: The name of the Secret resource being referred to.
7101 type: string
7102 namespace:
7103 description: |-
7104 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7105 to the namespace of the referent.
7106 type: string
7107 type: object
7108 required:
7109 - accessKeyIDSecretRef
7110 - accessKeySecretSecretRef
7111 type: object
7112 type: object
7113 regionID:
7114 description: Alibaba Region to be used for the provider
7115 type: string
7116 required:
7117 - auth
7118 - regionID
7119 type: object
7120 aws:
7121 description: AWS configures this store to sync secrets using AWS Secret Manager provider
7122 properties:
7123 auth:
7124 description: |-
7125 Auth defines the information necessary to authenticate against AWS
7126 if not set aws sdk will infer credentials from your environment
7127 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
7128 properties:
7129 jwt:
7130 description: Authenticate against AWS using service account tokens.
7131 properties:
7132 serviceAccountRef:
7133 description: A reference to a ServiceAccount resource.
7134 properties:
7135 audiences:
7136 description: |-
7137 Audience specifies the `aud` claim for the service account token
7138 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7139 then this audiences will be appended to the list
7140 items:
7141 type: string
7142 type: array
7143 name:
7144 description: The name of the ServiceAccount resource being referred to.
7145 type: string
7146 namespace:
7147 description: |-
7148 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7149 to the namespace of the referent.
7150 type: string
7151 required:
7152 - name
7153 type: object
7154 type: object
7155 secretRef:
7156 description: |-
7157 AWSAuthSecretRef holds secret references for AWS credentials
7158 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
7159 properties:
7160 accessKeyIDSecretRef:
7161 description: The AccessKeyID is used for authentication
7162 properties:
7163 key:
7164 description: |-
7165 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7166 defaulted, in others it may be required.
7167 type: string
7168 name:
7169 description: The name of the Secret resource being referred to.
7170 type: string
7171 namespace:
7172 description: |-
7173 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7174 to the namespace of the referent.
7175 type: string
7176 type: object
7177 secretAccessKeySecretRef:
7178 description: The SecretAccessKey is used for authentication
7179 properties:
7180 key:
7181 description: |-
7182 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7183 defaulted, in others it may be required.
7184 type: string
7185 name:
7186 description: The name of the Secret resource being referred to.
7187 type: string
7188 namespace:
7189 description: |-
7190 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7191 to the namespace of the referent.
7192 type: string
7193 type: object
7194 type: object
7195 type: object
7196 region:
7197 description: AWS Region to be used for the provider
7198 type: string
7199 role:
7200 description: Role is a Role ARN which the SecretManager provider will assume
7201 type: string
7202 service:
7203 description: Service defines which service should be used to fetch the secrets
7204 enum:
7205 - SecretsManager
7206 - ParameterStore
7207 type: string
7208 required:
7209 - region
7210 - service
7211 type: object
7212 azurekv:
7213 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
7214 properties:
7215 authSecretRef:
7216 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
7217 properties:
7218 clientId:
7219 description: The Azure clientId of the service principle used for authentication.
7220 properties:
7221 key:
7222 description: |-
7223 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7224 defaulted, in others it may be required.
7225 type: string
7226 name:
7227 description: The name of the Secret resource being referred to.
7228 type: string
7229 namespace:
7230 description: |-
7231 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7232 to the namespace of the referent.
7233 type: string
7234 type: object
7235 clientSecret:
7236 description: The Azure ClientSecret of the service principle used for authentication.
7237 properties:
7238 key:
7239 description: |-
7240 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7241 defaulted, in others it may be required.
7242 type: string
7243 name:
7244 description: The name of the Secret resource being referred to.
7245 type: string
7246 namespace:
7247 description: |-
7248 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7249 to the namespace of the referent.
7250 type: string
7251 type: object
7252 type: object
7253 authType:
7254 default: ServicePrincipal
7255 description: |-
7256 Auth type defines how to authenticate to the keyvault service.
7257 Valid values are:
7258 - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
7259 - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
7260 enum:
7261 - ServicePrincipal
7262 - ManagedIdentity
7263 - WorkloadIdentity
7264 type: string
7265 identityId:
7266 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
7267 type: string
7268 serviceAccountRef:
7269 description: |-
7270 ServiceAccountRef specified the service account
7271 that should be used when authenticating with WorkloadIdentity.
7272 properties:
7273 audiences:
7274 description: |-
7275 Audience specifies the `aud` claim for the service account token
7276 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7277 then this audiences will be appended to the list
7278 items:
7279 type: string
7280 type: array
7281 name:
7282 description: The name of the ServiceAccount resource being referred to.
7283 type: string
7284 namespace:
7285 description: |-
7286 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7287 to the namespace of the referent.
7288 type: string
7289 required:
7290 - name
7291 type: object
7292 tenantId:
7293 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
7294 type: string
7295 vaultUrl:
7296 description: Vault Url from which the secrets to be fetched from.
7297 type: string
7298 required:
7299 - vaultUrl
7300 type: object
7301 fake:
7302 description: Fake configures a store with static key/value pairs
7303 properties:
7304 data:
7305 items:
7306 properties:
7307 key:
7308 type: string
7309 value:
7310 type: string
7311 valueMap:
7312 additionalProperties:
7313 type: string
7314 type: object
7315 version:
7316 type: string
7317 required:
7318 - key
7319 type: object
7320 type: array
7321 required:
7322 - data
7323 type: object
7324 gcpsm:
7325 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
7326 properties:
7327 auth:
7328 description: Auth defines the information necessary to authenticate against GCP
7329 properties:
7330 secretRef:
7331 properties:
7332 secretAccessKeySecretRef:
7333 description: The SecretAccessKey is used for authentication
7334 properties:
7335 key:
7336 description: |-
7337 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7338 defaulted, in others it may be required.
7339 type: string
7340 name:
7341 description: The name of the Secret resource being referred to.
7342 type: string
7343 namespace:
7344 description: |-
7345 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7346 to the namespace of the referent.
7347 type: string
7348 type: object
7349 type: object
7350 workloadIdentity:
7351 properties:
7352 clusterLocation:
7353 type: string
7354 clusterName:
7355 type: string
7356 clusterProjectID:
7357 type: string
7358 serviceAccountRef:
7359 description: A reference to a ServiceAccount resource.
7360 properties:
7361 audiences:
7362 description: |-
7363 Audience specifies the `aud` claim for the service account token
7364 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7365 then this audiences will be appended to the list
7366 items:
7367 type: string
7368 type: array
7369 name:
7370 description: The name of the ServiceAccount resource being referred to.
7371 type: string
7372 namespace:
7373 description: |-
7374 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7375 to the namespace of the referent.
7376 type: string
7377 required:
7378 - name
7379 type: object
7380 required:
7381 - clusterLocation
7382 - clusterName
7383 - serviceAccountRef
7384 type: object
7385 type: object
7386 projectID:
7387 description: ProjectID project where secret is located
7388 type: string
7389 type: object
7390 gitlab:
7391 description: GitLab configures this store to sync secrets using GitLab Variables provider
7392 properties:
7393 auth:
7394 description: Auth configures how secret-manager authenticates with a GitLab instance.
7395 properties:
7396 SecretRef:
7397 properties:
7398 accessToken:
7399 description: AccessToken is used for authentication.
7400 properties:
7401 key:
7402 description: |-
7403 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7404 defaulted, in others it may be required.
7405 type: string
7406 name:
7407 description: The name of the Secret resource being referred to.
7408 type: string
7409 namespace:
7410 description: |-
7411 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7412 to the namespace of the referent.
7413 type: string
7414 type: object
7415 type: object
7416 required:
7417 - SecretRef
7418 type: object
7419 projectID:
7420 description: ProjectID specifies a project where secrets are located.
7421 type: string
7422 url:
7423 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
7424 type: string
7425 required:
7426 - auth
7427 type: object
7428 ibm:
7429 description: IBM configures this store to sync secrets using IBM Cloud provider
7430 properties:
7431 auth:
7432 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
7433 properties:
7434 secretRef:
7435 properties:
7436 secretApiKeySecretRef:
7437 description: The SecretAccessKey is used for authentication
7438 properties:
7439 key:
7440 description: |-
7441 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7442 defaulted, in others it may be required.
7443 type: string
7444 name:
7445 description: The name of the Secret resource being referred to.
7446 type: string
7447 namespace:
7448 description: |-
7449 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7450 to the namespace of the referent.
7451 type: string
7452 type: object
7453 type: object
7454 required:
7455 - secretRef
7456 type: object
7457 serviceUrl:
7458 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
7459 type: string
7460 required:
7461 - auth
7462 type: object
7463 kubernetes:
7464 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
7465 properties:
7466 auth:
7467 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
7468 maxProperties: 1
7469 minProperties: 1
7470 properties:
7471 cert:
7472 description: has both clientCert and clientKey as secretKeySelector
7473 properties:
7474 clientCert:
7475 description: |-
7476 A reference to a specific 'key' within a Secret resource,
7477 In some instances, `key` is a required field.
7478 properties:
7479 key:
7480 description: |-
7481 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7482 defaulted, in others it may be required.
7483 type: string
7484 name:
7485 description: The name of the Secret resource being referred to.
7486 type: string
7487 namespace:
7488 description: |-
7489 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7490 to the namespace of the referent.
7491 type: string
7492 type: object
7493 clientKey:
7494 description: |-
7495 A reference to a specific 'key' within a Secret resource,
7496 In some instances, `key` is a required field.
7497 properties:
7498 key:
7499 description: |-
7500 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7501 defaulted, in others it may be required.
7502 type: string
7503 name:
7504 description: The name of the Secret resource being referred to.
7505 type: string
7506 namespace:
7507 description: |-
7508 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7509 to the namespace of the referent.
7510 type: string
7511 type: object
7512 type: object
7513 serviceAccount:
7514 description: points to a service account that should be used for authentication
7515 properties:
7516 serviceAccount:
7517 description: A reference to a ServiceAccount resource.
7518 properties:
7519 audiences:
7520 description: |-
7521 Audience specifies the `aud` claim for the service account token
7522 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7523 then this audiences will be appended to the list
7524 items:
7525 type: string
7526 type: array
7527 name:
7528 description: The name of the ServiceAccount resource being referred to.
7529 type: string
7530 namespace:
7531 description: |-
7532 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7533 to the namespace of the referent.
7534 type: string
7535 required:
7536 - name
7537 type: object
7538 type: object
7539 token:
7540 description: use static token to authenticate with
7541 properties:
7542 bearerToken:
7543 description: |-
7544 A reference to a specific 'key' within a Secret resource,
7545 In some instances, `key` is a required field.
7546 properties:
7547 key:
7548 description: |-
7549 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7550 defaulted, in others it may be required.
7551 type: string
7552 name:
7553 description: The name of the Secret resource being referred to.
7554 type: string
7555 namespace:
7556 description: |-
7557 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7558 to the namespace of the referent.
7559 type: string
7560 type: object
7561 type: object
7562 type: object
7563 remoteNamespace:
7564 default: default
7565 description: Remote namespace to fetch the secrets from
7566 type: string
7567 server:
7568 description: configures the Kubernetes server Address.
7569 properties:
7570 caBundle:
7571 description: CABundle is a base64-encoded CA certificate
7572 format: byte
7573 type: string
7574 caProvider:
7575 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
7576 properties:
7577 key:
7578 description: The key the value inside of the provider type to use, only used with "Secret" type
7579 type: string
7580 name:
7581 description: The name of the object located at the provider type.
7582 type: string
7583 namespace:
7584 description: The namespace the Provider type is in.
7585 type: string
7586 type:
7587 description: The type of provider to use such as "Secret", or "ConfigMap".
7588 enum:
7589 - Secret
7590 - ConfigMap
7591 type: string
7592 required:
7593 - name
7594 - type
7595 type: object
7596 url:
7597 default: kubernetes.default
7598 description: configures the Kubernetes server Address.
7599 type: string
7600 type: object
7601 required:
7602 - auth
7603 type: object
7604 oracle:
7605 description: Oracle configures this store to sync secrets using Oracle Vault provider
7606 properties:
7607 auth:
7608 description: |-
7609 Auth configures how secret-manager authenticates with the Oracle Vault.
7610 If empty, instance principal is used. Optionally, the authenticating principal type
7611 and/or user data may be supplied for the use of workload identity and user principal.
7612 properties:
7613 secretRef:
7614 description: SecretRef to pass through sensitive information.
7615 properties:
7616 fingerprint:
7617 description: Fingerprint is the fingerprint of the API private key.
7618 properties:
7619 key:
7620 description: |-
7621 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7622 defaulted, in others it may be required.
7623 type: string
7624 name:
7625 description: The name of the Secret resource being referred to.
7626 type: string
7627 namespace:
7628 description: |-
7629 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7630 to the namespace of the referent.
7631 type: string
7632 type: object
7633 privatekey:
7634 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
7635 properties:
7636 key:
7637 description: |-
7638 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7639 defaulted, in others it may be required.
7640 type: string
7641 name:
7642 description: The name of the Secret resource being referred to.
7643 type: string
7644 namespace:
7645 description: |-
7646 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7647 to the namespace of the referent.
7648 type: string
7649 type: object
7650 required:
7651 - fingerprint
7652 - privatekey
7653 type: object
7654 tenancy:
7655 description: Tenancy is the tenancy OCID where user is located.
7656 type: string
7657 user:
7658 description: User is an access OCID specific to the account.
7659 type: string
7660 required:
7661 - secretRef
7662 - tenancy
7663 - user
7664 type: object
7665 compartment:
7666 description: |-
7667 Compartment is the vault compartment OCID.
7668 Required for PushSecret
7669 type: string
7670 encryptionKey:
7671 description: |-
7672 EncryptionKey is the OCID of the encryption key within the vault.
7673 Required for PushSecret
7674 type: string
7675 principalType:
7676 description: |-
7677 The type of principal to use for authentication. If left blank, the Auth struct will
7678 determine the principal type. This optional field must be specified if using
7679 workload identity.
7680 enum:
7681 - ""
7682 - UserPrincipal
7683 - InstancePrincipal
7684 - Workload
7685 type: string
7686 region:
7687 description: Region is the region where vault is located.
7688 type: string
7689 serviceAccountRef:
7690 description: |-
7691 ServiceAccountRef specified the service account
7692 that should be used when authenticating with WorkloadIdentity.
7693 properties:
7694 audiences:
7695 description: |-
7696 Audience specifies the `aud` claim for the service account token
7697 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7698 then this audiences will be appended to the list
7699 items:
7700 type: string
7701 type: array
7702 name:
7703 description: The name of the ServiceAccount resource being referred to.
7704 type: string
7705 namespace:
7706 description: |-
7707 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7708 to the namespace of the referent.
7709 type: string
7710 required:
7711 - name
7712 type: object
7713 vault:
7714 description: Vault is the vault's OCID of the specific vault where secret is located.
7715 type: string
7716 required:
7717 - region
7718 - vault
7719 type: object
7720 passworddepot:
7721 description: Configures a store to sync secrets with a Password Depot instance.
7722 properties:
7723 auth:
7724 description: Auth configures how secret-manager authenticates with a Password Depot instance.
7725 properties:
7726 secretRef:
7727 properties:
7728 credentials:
7729 description: Username / Password is used for authentication.
7730 properties:
7731 key:
7732 description: |-
7733 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7734 defaulted, in others it may be required.
7735 type: string
7736 name:
7737 description: The name of the Secret resource being referred to.
7738 type: string
7739 namespace:
7740 description: |-
7741 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7742 to the namespace of the referent.
7743 type: string
7744 type: object
7745 type: object
7746 required:
7747 - secretRef
7748 type: object
7749 database:
7750 description: Database to use as source
7751 type: string
7752 host:
7753 description: URL configures the Password Depot instance URL.
7754 type: string
7755 required:
7756 - auth
7757 - database
7758 - host
7759 type: object
7760 vault:
7761 description: Vault configures this store to sync secrets using Hashi provider
7762 properties:
7763 auth:
7764 description: Auth configures how secret-manager authenticates with the Vault server.
7765 properties:
7766 appRole:
7767 description: |-
7768 AppRole authenticates with Vault using the App Role auth mechanism,
7769 with the role and secret stored in a Kubernetes Secret resource.
7770 properties:
7771 path:
7772 default: approle
7773 description: |-
7774 Path where the App Role authentication backend is mounted
7775 in Vault, e.g: "approle"
7776 type: string
7777 roleId:
7778 description: |-
7779 RoleID configured in the App Role authentication backend when setting
7780 up the authentication backend in Vault.
7781 type: string
7782 secretRef:
7783 description: |-
7784 Reference to a key in a Secret that contains the App Role secret used
7785 to authenticate with Vault.
7786 The `key` field must be specified and denotes which entry within the Secret
7787 resource is used as the app role secret.
7788 properties:
7789 key:
7790 description: |-
7791 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7792 defaulted, in others it may be required.
7793 type: string
7794 name:
7795 description: The name of the Secret resource being referred to.
7796 type: string
7797 namespace:
7798 description: |-
7799 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7800 to the namespace of the referent.
7801 type: string
7802 type: object
7803 required:
7804 - path
7805 - roleId
7806 - secretRef
7807 type: object
7808 cert:
7809 description: |-
7810 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
7811 Cert authentication method
7812 properties:
7813 clientCert:
7814 description: |-
7815 ClientCert is a certificate to authenticate using the Cert Vault
7816 authentication method
7817 properties:
7818 key:
7819 description: |-
7820 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7821 defaulted, in others it may be required.
7822 type: string
7823 name:
7824 description: The name of the Secret resource being referred to.
7825 type: string
7826 namespace:
7827 description: |-
7828 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7829 to the namespace of the referent.
7830 type: string
7831 type: object
7832 secretRef:
7833 description: |-
7834 SecretRef to a key in a Secret resource containing client private key to
7835 authenticate with Vault using the Cert authentication method
7836 properties:
7837 key:
7838 description: |-
7839 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7840 defaulted, in others it may be required.
7841 type: string
7842 name:
7843 description: The name of the Secret resource being referred to.
7844 type: string
7845 namespace:
7846 description: |-
7847 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7848 to the namespace of the referent.
7849 type: string
7850 type: object
7851 type: object
7852 jwt:
7853 description: |-
7854 Jwt authenticates with Vault by passing role and JWT token using the
7855 JWT/OIDC authentication method
7856 properties:
7857 kubernetesServiceAccountToken:
7858 description: |-
7859 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
7860 a token for with the `TokenRequest` API.
7861 properties:
7862 audiences:
7863 description: |-
7864 Optional audiences field that will be used to request a temporary Kubernetes service
7865 account token for the service account referenced by `serviceAccountRef`.
7866 Defaults to a single audience `vault` it not specified.
7867 items:
7868 type: string
7869 type: array
7870 expirationSeconds:
7871 description: |-
7872 Optional expiration time in seconds that will be used to request a temporary
7873 Kubernetes service account token for the service account referenced by
7874 `serviceAccountRef`.
7875 Defaults to 10 minutes.
7876 format: int64
7877 type: integer
7878 serviceAccountRef:
7879 description: Service account field containing the name of a kubernetes ServiceAccount.
7880 properties:
7881 audiences:
7882 description: |-
7883 Audience specifies the `aud` claim for the service account token
7884 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7885 then this audiences will be appended to the list
7886 items:
7887 type: string
7888 type: array
7889 name:
7890 description: The name of the ServiceAccount resource being referred to.
7891 type: string
7892 namespace:
7893 description: |-
7894 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7895 to the namespace of the referent.
7896 type: string
7897 required:
7898 - name
7899 type: object
7900 required:
7901 - serviceAccountRef
7902 type: object
7903 path:
7904 default: jwt
7905 description: |-
7906 Path where the JWT authentication backend is mounted
7907 in Vault, e.g: "jwt"
7908 type: string
7909 role:
7910 description: |-
7911 Role is a JWT role to authenticate using the JWT/OIDC Vault
7912 authentication method
7913 type: string
7914 secretRef:
7915 description: |-
7916 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
7917 authenticate with Vault using the JWT/OIDC authentication method.
7918 properties:
7919 key:
7920 description: |-
7921 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7922 defaulted, in others it may be required.
7923 type: string
7924 name:
7925 description: The name of the Secret resource being referred to.
7926 type: string
7927 namespace:
7928 description: |-
7929 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7930 to the namespace of the referent.
7931 type: string
7932 type: object
7933 required:
7934 - path
7935 type: object
7936 kubernetes:
7937 description: |-
7938 Kubernetes authenticates with Vault by passing the ServiceAccount
7939 token stored in the named Secret resource to the Vault server.
7940 properties:
7941 mountPath:
7942 default: kubernetes
7943 description: |-
7944 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
7945 "kubernetes"
7946 type: string
7947 role:
7948 description: |-
7949 A required field containing the Vault Role to assume. A Role binds a
7950 Kubernetes ServiceAccount with a set of Vault policies.
7951 type: string
7952 secretRef:
7953 description: |-
7954 Optional secret field containing a Kubernetes ServiceAccount JWT used
7955 for authenticating with Vault. If a name is specified without a key,
7956 `token` is the default. If one is not specified, the one bound to
7957 the controller will be used.
7958 properties:
7959 key:
7960 description: |-
7961 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
7962 defaulted, in others it may be required.
7963 type: string
7964 name:
7965 description: The name of the Secret resource being referred to.
7966 type: string
7967 namespace:
7968 description: |-
7969 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7970 to the namespace of the referent.
7971 type: string
7972 type: object
7973 serviceAccountRef:
7974 description: |-
7975 Optional service account field containing the name of a kubernetes ServiceAccount.
7976 If the service account is specified, the service account secret token JWT will be used
7977 for authenticating with Vault. If the service account selector is not supplied,
7978 the secretRef will be used instead.
7979 properties:
7980 audiences:
7981 description: |-
7982 Audience specifies the `aud` claim for the service account token
7983 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
7984 then this audiences will be appended to the list
7985 items:
7986 type: string
7987 type: array
7988 name:
7989 description: The name of the ServiceAccount resource being referred to.
7990 type: string
7991 namespace:
7992 description: |-
7993 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
7994 to the namespace of the referent.
7995 type: string
7996 required:
7997 - name
7998 type: object
7999 required:
8000 - mountPath
8001 - role
8002 type: object
8003 ldap:
8004 description: |-
8005 Ldap authenticates with Vault by passing username/password pair using
8006 the LDAP authentication method
8007 properties:
8008 path:
8009 default: ldap
8010 description: |-
8011 Path where the LDAP authentication backend is mounted
8012 in Vault, e.g: "ldap"
8013 type: string
8014 secretRef:
8015 description: |-
8016 SecretRef to a key in a Secret resource containing password for the LDAP
8017 user used to authenticate with Vault using the LDAP authentication
8018 method
8019 properties:
8020 key:
8021 description: |-
8022 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8023 defaulted, in others it may be required.
8024 type: string
8025 name:
8026 description: The name of the Secret resource being referred to.
8027 type: string
8028 namespace:
8029 description: |-
8030 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8031 to the namespace of the referent.
8032 type: string
8033 type: object
8034 username:
8035 description: |-
8036 Username is a LDAP user name used to authenticate using the LDAP Vault
8037 authentication method
8038 type: string
8039 required:
8040 - path
8041 - username
8042 type: object
8043 tokenSecretRef:
8044 description: TokenSecretRef authenticates with Vault by presenting a token.
8045 properties:
8046 key:
8047 description: |-
8048 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8049 defaulted, in others it may be required.
8050 type: string
8051 name:
8052 description: The name of the Secret resource being referred to.
8053 type: string
8054 namespace:
8055 description: |-
8056 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8057 to the namespace of the referent.
8058 type: string
8059 type: object
8060 type: object
8061 caBundle:
8062 description: |-
8063 PEM encoded CA bundle used to validate Vault server certificate. Only used
8064 if the Server URL is using HTTPS protocol. This parameter is ignored for
8065 plain HTTP protocol connection. If not set the system root certificates
8066 are used to validate the TLS connection.
8067 format: byte
8068 type: string
8069 caProvider:
8070 description: The provider for the CA bundle to use to validate Vault server certificate.
8071 properties:
8072 key:
8073 description: The key the value inside of the provider type to use, only used with "Secret" type
8074 type: string
8075 name:
8076 description: The name of the object located at the provider type.
8077 type: string
8078 namespace:
8079 description: The namespace the Provider type is in.
8080 type: string
8081 type:
8082 description: The type of provider to use such as "Secret", or "ConfigMap".
8083 enum:
8084 - Secret
8085 - ConfigMap
8086 type: string
8087 required:
8088 - name
8089 - type
8090 type: object
8091 forwardInconsistent:
8092 description: |-
8093 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
8094 leader instead of simply retrying within a loop. This can increase performance if
8095 the option is enabled serverside.
8096 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
8097 type: boolean
8098 namespace:
8099 description: |-
8100 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
8101 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
8102 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
8103 type: string
8104 path:
8105 description: |-
8106 Path is the mount path of the Vault KV backend endpoint, e.g:
8107 "secret". The v2 KV secret engine version specific "/data" path suffix
8108 for fetching secrets from Vault is optional and will be appended
8109 if not present in specified path.
8110 type: string
8111 readYourWrites:
8112 description: |-
8113 ReadYourWrites ensures isolated read-after-write semantics by
8114 providing discovered cluster replication states in each request.
8115 More information about eventual consistency in Vault can be found here
8116 https://www.vaultproject.io/docs/enterprise/consistency
8117 type: boolean
8118 server:
8119 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
8120 type: string
8121 version:
8122 default: v2
8123 description: |-
8124 Version is the Vault KV secret engine version. This can be either "v1" or
8125 "v2". Version defaults to "v2".
8126 enum:
8127 - v1
8128 - v2
8129 type: string
8130 required:
8131 - auth
8132 - server
8133 type: object
8134 webhook:
8135 description: Webhook configures this store to sync secrets using a generic templated webhook
8136 properties:
8137 body:
8138 description: Body
8139 type: string
8140 caBundle:
8141 description: |-
8142 PEM encoded CA bundle used to validate webhook server certificate. Only used
8143 if the Server URL is using HTTPS protocol. This parameter is ignored for
8144 plain HTTP protocol connection. If not set the system root certificates
8145 are used to validate the TLS connection.
8146 format: byte
8147 type: string
8148 caProvider:
8149 description: The provider for the CA bundle to use to validate webhook server certificate.
8150 properties:
8151 key:
8152 description: The key the value inside of the provider type to use, only used with "Secret" type
8153 type: string
8154 name:
8155 description: The name of the object located at the provider type.
8156 type: string
8157 namespace:
8158 description: The namespace the Provider type is in.
8159 type: string
8160 type:
8161 description: The type of provider to use such as "Secret", or "ConfigMap".
8162 enum:
8163 - Secret
8164 - ConfigMap
8165 type: string
8166 required:
8167 - name
8168 - type
8169 type: object
8170 headers:
8171 additionalProperties:
8172 type: string
8173 description: Headers
8174 type: object
8175 method:
8176 description: Webhook Method
8177 type: string
8178 result:
8179 description: Result formatting
8180 properties:
8181 jsonPath:
8182 description: Json path of return value
8183 type: string
8184 type: object
8185 secrets:
8186 description: |-
8187 Secrets to fill in templates
8188 These secrets will be passed to the templating function as key value pairs under the given name
8189 items:
8190 properties:
8191 name:
8192 description: Name of this secret in templates
8193 type: string
8194 secretRef:
8195 description: Secret ref to fill in credentials
8196 properties:
8197 key:
8198 description: |-
8199 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8200 defaulted, in others it may be required.
8201 type: string
8202 name:
8203 description: The name of the Secret resource being referred to.
8204 type: string
8205 namespace:
8206 description: |-
8207 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8208 to the namespace of the referent.
8209 type: string
8210 type: object
8211 required:
8212 - name
8213 - secretRef
8214 type: object
8215 type: array
8216 timeout:
8217 description: Timeout
8218 type: string
8219 url:
8220 description: Webhook url to call
8221 type: string
8222 required:
8223 - result
8224 - url
8225 type: object
8226 yandexlockbox:
8227 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
8228 properties:
8229 apiEndpoint:
8230 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
8231 type: string
8232 auth:
8233 description: Auth defines the information necessary to authenticate against Yandex Lockbox
8234 properties:
8235 authorizedKeySecretRef:
8236 description: The authorized key used for authentication
8237 properties:
8238 key:
8239 description: |-
8240 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8241 defaulted, in others it may be required.
8242 type: string
8243 name:
8244 description: The name of the Secret resource being referred to.
8245 type: string
8246 namespace:
8247 description: |-
8248 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8249 to the namespace of the referent.
8250 type: string
8251 type: object
8252 type: object
8253 caProvider:
8254 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
8255 properties:
8256 certSecretRef:
8257 description: |-
8258 A reference to a specific 'key' within a Secret resource,
8259 In some instances, `key` is a required field.
8260 properties:
8261 key:
8262 description: |-
8263 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8264 defaulted, in others it may be required.
8265 type: string
8266 name:
8267 description: The name of the Secret resource being referred to.
8268 type: string
8269 namespace:
8270 description: |-
8271 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8272 to the namespace of the referent.
8273 type: string
8274 type: object
8275 type: object
8276 required:
8277 - auth
8278 type: object
8279 type: object
8280 retrySettings:
8281 description: Used to configure http retries if failed
8282 properties:
8283 maxRetries:
8284 format: int32
8285 type: integer
8286 retryInterval:
8287 type: string
8288 type: object
8289 required:
8290 - provider
8291 type: object
8292 status:
8293 description: SecretStoreStatus defines the observed state of the SecretStore.
8294 properties:
8295 conditions:
8296 items:
8297 properties:
8298 lastTransitionTime:
8299 format: date-time
8300 type: string
8301 message:
8302 type: string
8303 reason:
8304 type: string
8305 status:
8306 type: string
8307 type:
8308 type: string
8309 required:
8310 - status
8311 - type
8312 type: object
8313 type: array
8314 type: object
8315 type: object
8316 served: true
8317 storage: false
8318 subresources:
8319 status: {}
8320 - additionalPrinterColumns:
8321 - jsonPath: .metadata.creationTimestamp
8322 name: AGE
8323 type: date
8324 - jsonPath: .status.conditions[?(@.type=="Ready")].reason
8325 name: Status
8326 type: string
8327 - jsonPath: .status.capabilities
8328 name: Capabilities
8329 type: string
8330 - jsonPath: .status.conditions[?(@.type=="Ready")].status
8331 name: Ready
8332 type: string
8333 name: v1beta1
8334 schema:
8335 openAPIV3Schema:
8336 description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
8337 properties:
8338 apiVersion:
8339 description: |-
8340 APIVersion defines the versioned schema of this representation of an object.
8341 Servers should convert recognized schemas to the latest internal value, and
8342 may reject unrecognized values.
8343 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
8344 type: string
8345 kind:
8346 description: |-
8347 Kind is a string value representing the REST resource this object represents.
8348 Servers may infer this from the endpoint the client submits requests to.
8349 Cannot be updated.
8350 In CamelCase.
8351 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
8352 type: string
8353 metadata:
8354 type: object
8355 spec:
8356 description: SecretStoreSpec defines the desired state of SecretStore.
8357 properties:
8358 conditions:
8359 description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
8360 items:
8361 description: |-
8362 ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
8363 for a ClusterSecretStore instance.
8364 properties:
8365 namespaceSelector:
8366 description: Choose namespace using a labelSelector
8367 properties:
8368 matchExpressions:
8369 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8370 items:
8371 description: |-
8372 A label selector requirement is a selector that contains values, a key, and an operator that
8373 relates the key and values.
8374 properties:
8375 key:
8376 description: key is the label key that the selector applies to.
8377 type: string
8378 operator:
8379 description: |-
8380 operator represents a key's relationship to a set of values.
8381 Valid operators are In, NotIn, Exists and DoesNotExist.
8382 type: string
8383 values:
8384 description: |-
8385 values is an array of string values. If the operator is In or NotIn,
8386 the values array must be non-empty. If the operator is Exists or DoesNotExist,
8387 the values array must be empty. This array is replaced during a strategic
8388 merge patch.
8389 items:
8390 type: string
8391 type: array
8392 required:
8393 - key
8394 - operator
8395 type: object
8396 type: array
8397 matchLabels:
8398 additionalProperties:
8399 type: string
8400 description: |-
8401 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
8402 map is equivalent to an element of matchExpressions, whose key field is "key", the
8403 operator is "In", and the values array contains only "value". The requirements are ANDed.
8404 type: object
8405 type: object
8406 x-kubernetes-map-type: atomic
8407 namespaces:
8408 description: Choose namespaces by name
8409 items:
8410 type: string
8411 type: array
8412 type: object
8413 type: array
8414 controller:
8415 description: |-
8416 Used to select the correct ESO controller (think: ingress.ingressClassName)
8417 The ESO controller is instantiated with a specific controller name and filters ES based on this property
8418 type: string
8419 provider:
8420 description: Used to configure the provider. Only one provider may be set
8421 maxProperties: 1
8422 minProperties: 1
8423 properties:
8424 akeyless:
8425 description: Akeyless configures this store to sync secrets using Akeyless Vault provider
8426 properties:
8427 akeylessGWApiURL:
8428 description: Akeyless GW API Url from which the secrets to be fetched from.
8429 type: string
8430 authSecretRef:
8431 description: Auth configures how the operator authenticates with Akeyless.
8432 properties:
8433 kubernetesAuth:
8434 description: |-
8435 Kubernetes authenticates with Akeyless by passing the ServiceAccount
8436 token stored in the named Secret resource.
8437 properties:
8438 accessID:
8439 description: the Akeyless Kubernetes auth-method access-id
8440 type: string
8441 k8sConfName:
8442 description: Kubernetes-auth configuration name in Akeyless-Gateway
8443 type: string
8444 secretRef:
8445 description: |-
8446 Optional secret field containing a Kubernetes ServiceAccount JWT used
8447 for authenticating with Akeyless. If a name is specified without a key,
8448 `token` is the default. If one is not specified, the one bound to
8449 the controller will be used.
8450 properties:
8451 key:
8452 description: |-
8453 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8454 defaulted, in others it may be required.
8455 type: string
8456 name:
8457 description: The name of the Secret resource being referred to.
8458 type: string
8459 namespace:
8460 description: |-
8461 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8462 to the namespace of the referent.
8463 type: string
8464 type: object
8465 serviceAccountRef:
8466 description: |-
8467 Optional service account field containing the name of a kubernetes ServiceAccount.
8468 If the service account is specified, the service account secret token JWT will be used
8469 for authenticating with Akeyless. If the service account selector is not supplied,
8470 the secretRef will be used instead.
8471 properties:
8472 audiences:
8473 description: |-
8474 Audience specifies the `aud` claim for the service account token
8475 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
8476 then this audiences will be appended to the list
8477 items:
8478 type: string
8479 type: array
8480 name:
8481 description: The name of the ServiceAccount resource being referred to.
8482 type: string
8483 namespace:
8484 description: |-
8485 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8486 to the namespace of the referent.
8487 type: string
8488 required:
8489 - name
8490 type: object
8491 required:
8492 - accessID
8493 - k8sConfName
8494 type: object
8495 secretRef:
8496 description: |-
8497 Reference to a Secret that contains the details
8498 to authenticate with Akeyless.
8499 properties:
8500 accessID:
8501 description: The SecretAccessID is used for authentication
8502 properties:
8503 key:
8504 description: |-
8505 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8506 defaulted, in others it may be required.
8507 type: string
8508 name:
8509 description: The name of the Secret resource being referred to.
8510 type: string
8511 namespace:
8512 description: |-
8513 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8514 to the namespace of the referent.
8515 type: string
8516 type: object
8517 accessType:
8518 description: |-
8519 A reference to a specific 'key' within a Secret resource,
8520 In some instances, `key` is a required field.
8521 properties:
8522 key:
8523 description: |-
8524 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8525 defaulted, in others it may be required.
8526 type: string
8527 name:
8528 description: The name of the Secret resource being referred to.
8529 type: string
8530 namespace:
8531 description: |-
8532 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8533 to the namespace of the referent.
8534 type: string
8535 type: object
8536 accessTypeParam:
8537 description: |-
8538 A reference to a specific 'key' within a Secret resource,
8539 In some instances, `key` is a required field.
8540 properties:
8541 key:
8542 description: |-
8543 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8544 defaulted, in others it may be required.
8545 type: string
8546 name:
8547 description: The name of the Secret resource being referred to.
8548 type: string
8549 namespace:
8550 description: |-
8551 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8552 to the namespace of the referent.
8553 type: string
8554 type: object
8555 type: object
8556 type: object
8557 caBundle:
8558 description: |-
8559 PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
8560 if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
8561 are used to validate the TLS connection.
8562 format: byte
8563 type: string
8564 caProvider:
8565 description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
8566 properties:
8567 key:
8568 description: The key where the CA certificate can be found in the Secret or ConfigMap.
8569 type: string
8570 name:
8571 description: The name of the object located at the provider type.
8572 type: string
8573 namespace:
8574 description: |-
8575 The namespace the Provider type is in.
8576 Can only be defined when used in a ClusterSecretStore.
8577 type: string
8578 type:
8579 description: The type of provider to use such as "Secret", or "ConfigMap".
8580 enum:
8581 - Secret
8582 - ConfigMap
8583 type: string
8584 required:
8585 - name
8586 - type
8587 type: object
8588 required:
8589 - akeylessGWApiURL
8590 - authSecretRef
8591 type: object
8592 alibaba:
8593 description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
8594 properties:
8595 auth:
8596 description: AlibabaAuth contains a secretRef for credentials.
8597 properties:
8598 rrsa:
8599 description: Authenticate against Alibaba using RRSA.
8600 properties:
8601 oidcProviderArn:
8602 type: string
8603 oidcTokenFilePath:
8604 type: string
8605 roleArn:
8606 type: string
8607 sessionName:
8608 type: string
8609 required:
8610 - oidcProviderArn
8611 - oidcTokenFilePath
8612 - roleArn
8613 - sessionName
8614 type: object
8615 secretRef:
8616 description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
8617 properties:
8618 accessKeyIDSecretRef:
8619 description: The AccessKeyID is used for authentication
8620 properties:
8621 key:
8622 description: |-
8623 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8624 defaulted, in others it may be required.
8625 type: string
8626 name:
8627 description: The name of the Secret resource being referred to.
8628 type: string
8629 namespace:
8630 description: |-
8631 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8632 to the namespace of the referent.
8633 type: string
8634 type: object
8635 accessKeySecretSecretRef:
8636 description: The AccessKeySecret is used for authentication
8637 properties:
8638 key:
8639 description: |-
8640 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8641 defaulted, in others it may be required.
8642 type: string
8643 name:
8644 description: The name of the Secret resource being referred to.
8645 type: string
8646 namespace:
8647 description: |-
8648 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8649 to the namespace of the referent.
8650 type: string
8651 type: object
8652 required:
8653 - accessKeyIDSecretRef
8654 - accessKeySecretSecretRef
8655 type: object
8656 type: object
8657 regionID:
8658 description: Alibaba Region to be used for the provider
8659 type: string
8660 required:
8661 - auth
8662 - regionID
8663 type: object
8664 aws:
8665 description: AWS configures this store to sync secrets using AWS Secret Manager provider
8666 properties:
8667 additionalRoles:
8668 description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
8669 items:
8670 type: string
8671 type: array
8672 auth:
8673 description: |-
8674 Auth defines the information necessary to authenticate against AWS
8675 if not set aws sdk will infer credentials from your environment
8676 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8677 properties:
8678 jwt:
8679 description: Authenticate against AWS using service account tokens.
8680 properties:
8681 serviceAccountRef:
8682 description: A reference to a ServiceAccount resource.
8683 properties:
8684 audiences:
8685 description: |-
8686 Audience specifies the `aud` claim for the service account token
8687 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
8688 then this audiences will be appended to the list
8689 items:
8690 type: string
8691 type: array
8692 name:
8693 description: The name of the ServiceAccount resource being referred to.
8694 type: string
8695 namespace:
8696 description: |-
8697 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8698 to the namespace of the referent.
8699 type: string
8700 required:
8701 - name
8702 type: object
8703 type: object
8704 secretRef:
8705 description: |-
8706 AWSAuthSecretRef holds secret references for AWS credentials
8707 both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
8708 properties:
8709 accessKeyIDSecretRef:
8710 description: The AccessKeyID is used for authentication
8711 properties:
8712 key:
8713 description: |-
8714 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8715 defaulted, in others it may be required.
8716 type: string
8717 name:
8718 description: The name of the Secret resource being referred to.
8719 type: string
8720 namespace:
8721 description: |-
8722 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8723 to the namespace of the referent.
8724 type: string
8725 type: object
8726 secretAccessKeySecretRef:
8727 description: The SecretAccessKey is used for authentication
8728 properties:
8729 key:
8730 description: |-
8731 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8732 defaulted, in others it may be required.
8733 type: string
8734 name:
8735 description: The name of the Secret resource being referred to.
8736 type: string
8737 namespace:
8738 description: |-
8739 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8740 to the namespace of the referent.
8741 type: string
8742 type: object
8743 sessionTokenSecretRef:
8744 description: |-
8745 The SessionToken used for authentication
8746 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
8747 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
8748 properties:
8749 key:
8750 description: |-
8751 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8752 defaulted, in others it may be required.
8753 type: string
8754 name:
8755 description: The name of the Secret resource being referred to.
8756 type: string
8757 namespace:
8758 description: |-
8759 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8760 to the namespace of the referent.
8761 type: string
8762 type: object
8763 type: object
8764 type: object
8765 externalID:
8766 description: AWS External ID set on assumed IAM roles
8767 type: string
8768 region:
8769 description: AWS Region to be used for the provider
8770 type: string
8771 role:
8772 description: Role is a Role ARN which the provider will assume
8773 type: string
8774 secretsManager:
8775 description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
8776 properties:
8777 forceDeleteWithoutRecovery:
8778 description: |-
8779 Specifies whether to delete the secret without any recovery window. You
8780 can't use both this parameter and RecoveryWindowInDays in the same call.
8781 If you don't use either, then by default Secrets Manager uses a 30 day
8782 recovery window.
8783 see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
8784 type: boolean
8785 recoveryWindowInDays:
8786 description: |-
8787 The number of days from 7 to 30 that Secrets Manager waits before
8788 permanently deleting the secret. You can't use both this parameter and
8789 ForceDeleteWithoutRecovery in the same call. If you don't use either,
8790 then by default Secrets Manager uses a 30 day recovery window.
8791 see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
8792 format: int64
8793 type: integer
8794 type: object
8795 service:
8796 description: Service defines which service should be used to fetch the secrets
8797 enum:
8798 - SecretsManager
8799 - ParameterStore
8800 type: string
8801 sessionTags:
8802 description: AWS STS assume role session tags
8803 items:
8804 properties:
8805 key:
8806 type: string
8807 value:
8808 type: string
8809 required:
8810 - key
8811 - value
8812 type: object
8813 type: array
8814 transitiveTagKeys:
8815 description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
8816 items:
8817 type: string
8818 type: array
8819 required:
8820 - region
8821 - service
8822 type: object
8823 azurekv:
8824 description: AzureKV configures this store to sync secrets using Azure Key Vault provider
8825 properties:
8826 authSecretRef:
8827 description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
8828 properties:
8829 clientId:
8830 description: The Azure clientId of the service principle or managed identity used for authentication.
8831 properties:
8832 key:
8833 description: |-
8834 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8835 defaulted, in others it may be required.
8836 type: string
8837 name:
8838 description: The name of the Secret resource being referred to.
8839 type: string
8840 namespace:
8841 description: |-
8842 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8843 to the namespace of the referent.
8844 type: string
8845 type: object
8846 clientSecret:
8847 description: The Azure ClientSecret of the service principle used for authentication.
8848 properties:
8849 key:
8850 description: |-
8851 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8852 defaulted, in others it may be required.
8853 type: string
8854 name:
8855 description: The name of the Secret resource being referred to.
8856 type: string
8857 namespace:
8858 description: |-
8859 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8860 to the namespace of the referent.
8861 type: string
8862 type: object
8863 tenantId:
8864 description: The Azure tenantId of the managed identity used for authentication.
8865 properties:
8866 key:
8867 description: |-
8868 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8869 defaulted, in others it may be required.
8870 type: string
8871 name:
8872 description: The name of the Secret resource being referred to.
8873 type: string
8874 namespace:
8875 description: |-
8876 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8877 to the namespace of the referent.
8878 type: string
8879 type: object
8880 type: object
8881 authType:
8882 default: ServicePrincipal
8883 description: |-
8884 Auth type defines how to authenticate to the keyvault service.
8885 Valid values are:
8886 - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
8887 - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
8888 enum:
8889 - ServicePrincipal
8890 - ManagedIdentity
8891 - WorkloadIdentity
8892 type: string
8893 environmentType:
8894 default: PublicCloud
8895 description: |-
8896 EnvironmentType specifies the Azure cloud environment endpoints to use for
8897 connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
8898 The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
8899 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
8900 enum:
8901 - PublicCloud
8902 - USGovernmentCloud
8903 - ChinaCloud
8904 - GermanCloud
8905 type: string
8906 identityId:
8907 description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
8908 type: string
8909 serviceAccountRef:
8910 description: |-
8911 ServiceAccountRef specified the service account
8912 that should be used when authenticating with WorkloadIdentity.
8913 properties:
8914 audiences:
8915 description: |-
8916 Audience specifies the `aud` claim for the service account token
8917 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
8918 then this audiences will be appended to the list
8919 items:
8920 type: string
8921 type: array
8922 name:
8923 description: The name of the ServiceAccount resource being referred to.
8924 type: string
8925 namespace:
8926 description: |-
8927 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8928 to the namespace of the referent.
8929 type: string
8930 required:
8931 - name
8932 type: object
8933 tenantId:
8934 description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
8935 type: string
8936 vaultUrl:
8937 description: Vault Url from which the secrets to be fetched from.
8938 type: string
8939 required:
8940 - vaultUrl
8941 type: object
8942 chef:
8943 description: Chef configures this store to sync secrets with chef server
8944 properties:
8945 auth:
8946 description: Auth defines the information necessary to authenticate against chef Server
8947 properties:
8948 secretRef:
8949 description: ChefAuthSecretRef holds secret references for chef server login credentials.
8950 properties:
8951 privateKeySecretRef:
8952 description: SecretKey is the Signing Key in PEM format, used for authentication.
8953 properties:
8954 key:
8955 description: |-
8956 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
8957 defaulted, in others it may be required.
8958 type: string
8959 name:
8960 description: The name of the Secret resource being referred to.
8961 type: string
8962 namespace:
8963 description: |-
8964 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
8965 to the namespace of the referent.
8966 type: string
8967 type: object
8968 required:
8969 - privateKeySecretRef
8970 type: object
8971 required:
8972 - secretRef
8973 type: object
8974 serverUrl:
8975 description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
8976 type: string
8977 username:
8978 description: UserName should be the user ID on the chef server
8979 type: string
8980 required:
8981 - auth
8982 - serverUrl
8983 - username
8984 type: object
8985 conjur:
8986 description: Conjur configures this store to sync secrets using conjur provider
8987 properties:
8988 auth:
8989 properties:
8990 apikey:
8991 properties:
8992 account:
8993 type: string
8994 apiKeyRef:
8995 description: |-
8996 A reference to a specific 'key' within a Secret resource,
8997 In some instances, `key` is a required field.
8998 properties:
8999 key:
9000 description: |-
9001 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9002 defaulted, in others it may be required.
9003 type: string
9004 name:
9005 description: The name of the Secret resource being referred to.
9006 type: string
9007 namespace:
9008 description: |-
9009 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9010 to the namespace of the referent.
9011 type: string
9012 type: object
9013 userRef:
9014 description: |-
9015 A reference to a specific 'key' within a Secret resource,
9016 In some instances, `key` is a required field.
9017 properties:
9018 key:
9019 description: |-
9020 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9021 defaulted, in others it may be required.
9022 type: string
9023 name:
9024 description: The name of the Secret resource being referred to.
9025 type: string
9026 namespace:
9027 description: |-
9028 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9029 to the namespace of the referent.
9030 type: string
9031 type: object
9032 required:
9033 - account
9034 - apiKeyRef
9035 - userRef
9036 type: object
9037 jwt:
9038 properties:
9039 account:
9040 type: string
9041 hostId:
9042 description: |-
9043 Optional HostID for JWT authentication. This may be used depending
9044 on how the Conjur JWT authenticator policy is configured.
9045 type: string
9046 secretRef:
9047 description: |-
9048 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
9049 authenticate with Conjur using the JWT authentication method.
9050 properties:
9051 key:
9052 description: |-
9053 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9054 defaulted, in others it may be required.
9055 type: string
9056 name:
9057 description: The name of the Secret resource being referred to.
9058 type: string
9059 namespace:
9060 description: |-
9061 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9062 to the namespace of the referent.
9063 type: string
9064 type: object
9065 serviceAccountRef:
9066 description: |-
9067 Optional ServiceAccountRef specifies the Kubernetes service account for which to request
9068 a token for with the `TokenRequest` API.
9069 properties:
9070 audiences:
9071 description: |-
9072 Audience specifies the `aud` claim for the service account token
9073 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
9074 then this audiences will be appended to the list
9075 items:
9076 type: string
9077 type: array
9078 name:
9079 description: The name of the ServiceAccount resource being referred to.
9080 type: string
9081 namespace:
9082 description: |-
9083 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9084 to the namespace of the referent.
9085 type: string
9086 required:
9087 - name
9088 type: object
9089 serviceID:
9090 description: The conjur authn jwt webservice id
9091 type: string
9092 required:
9093 - account
9094 - serviceID
9095 type: object
9096 type: object
9097 caBundle:
9098 type: string
9099 caProvider:
9100 description: |-
9101 Used to provide custom certificate authority (CA) certificates
9102 for a secret store. The CAProvider points to a Secret or ConfigMap resource
9103 that contains a PEM-encoded certificate.
9104 properties:
9105 key:
9106 description: The key where the CA certificate can be found in the Secret or ConfigMap.
9107 type: string
9108 name:
9109 description: The name of the object located at the provider type.
9110 type: string
9111 namespace:
9112 description: |-
9113 The namespace the Provider type is in.
9114 Can only be defined when used in a ClusterSecretStore.
9115 type: string
9116 type:
9117 description: The type of provider to use such as "Secret", or "ConfigMap".
9118 enum:
9119 - Secret
9120 - ConfigMap
9121 type: string
9122 required:
9123 - name
9124 - type
9125 type: object
9126 url:
9127 type: string
9128 required:
9129 - auth
9130 - url
9131 type: object
9132 delinea:
9133 description: |-
9134 Delinea DevOps Secrets Vault
9135 https://docs.delinea.com/online-help/products/devops-secrets-vault/current
9136 properties:
9137 clientId:
9138 description: ClientID is the non-secret part of the credential.
9139 properties:
9140 secretRef:
9141 description: SecretRef references a key in a secret that will be used as value.
9142 properties:
9143 key:
9144 description: |-
9145 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9146 defaulted, in others it may be required.
9147 type: string
9148 name:
9149 description: The name of the Secret resource being referred to.
9150 type: string
9151 namespace:
9152 description: |-
9153 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9154 to the namespace of the referent.
9155 type: string
9156 type: object
9157 value:
9158 description: Value can be specified directly to set a value without using a secret.
9159 type: string
9160 type: object
9161 clientSecret:
9162 description: ClientSecret is the secret part of the credential.
9163 properties:
9164 secretRef:
9165 description: SecretRef references a key in a secret that will be used as value.
9166 properties:
9167 key:
9168 description: |-
9169 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9170 defaulted, in others it may be required.
9171 type: string
9172 name:
9173 description: The name of the Secret resource being referred to.
9174 type: string
9175 namespace:
9176 description: |-
9177 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9178 to the namespace of the referent.
9179 type: string
9180 type: object
9181 value:
9182 description: Value can be specified directly to set a value without using a secret.
9183 type: string
9184 type: object
9185 tenant:
9186 description: Tenant is the chosen hostname / site name.
9187 type: string
9188 tld:
9189 description: |-
9190 TLD is based on the server location that was chosen during provisioning.
9191 If unset, defaults to "com".
9192 type: string
9193 urlTemplate:
9194 description: |-
9195 URLTemplate
9196 If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
9197 type: string
9198 required:
9199 - clientId
9200 - clientSecret
9201 - tenant
9202 type: object
9203 doppler:
9204 description: Doppler configures this store to sync secrets using the Doppler provider
9205 properties:
9206 auth:
9207 description: Auth configures how the Operator authenticates with the Doppler API
9208 properties:
9209 secretRef:
9210 properties:
9211 dopplerToken:
9212 description: |-
9213 The DopplerToken is used for authentication.
9214 See https://docs.doppler.com/reference/api#authentication for auth token types.
9215 The Key attribute defaults to dopplerToken if not specified.
9216 properties:
9217 key:
9218 description: |-
9219 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9220 defaulted, in others it may be required.
9221 type: string
9222 name:
9223 description: The name of the Secret resource being referred to.
9224 type: string
9225 namespace:
9226 description: |-
9227 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9228 to the namespace of the referent.
9229 type: string
9230 type: object
9231 required:
9232 - dopplerToken
9233 type: object
9234 required:
9235 - secretRef
9236 type: object
9237 config:
9238 description: Doppler config (required if not using a Service Token)
9239 type: string
9240 format:
9241 description: Format enables the downloading of secrets as a file (string)
9242 enum:
9243 - json
9244 - dotnet-json
9245 - env
9246 - yaml
9247 - docker
9248 type: string
9249 nameTransformer:
9250 description: Environment variable compatible name transforms that change secret names to a different format
9251 enum:
9252 - upper-camel
9253 - camel
9254 - lower-snake
9255 - tf-var
9256 - dotnet-env
9257 - lower-kebab
9258 type: string
9259 project:
9260 description: Doppler project (required if not using a Service Token)
9261 type: string
9262 required:
9263 - auth
9264 type: object
9265 fake:
9266 description: Fake configures a store with static key/value pairs
9267 properties:
9268 data:
9269 items:
9270 properties:
9271 key:
9272 type: string
9273 value:
9274 type: string
9275 valueMap:
9276 additionalProperties:
9277 type: string
9278 description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
9279 type: object
9280 version:
9281 type: string
9282 required:
9283 - key
9284 type: object
9285 type: array
9286 required:
9287 - data
9288 type: object
9289 fortanix:
9290 description: Fortanix configures this store to sync secrets using the Fortanix provider
9291 properties:
9292 apiKey:
9293 description: APIKey is the API token to access SDKMS Applications.
9294 properties:
9295 secretRef:
9296 description: SecretRef is a reference to a secret containing the SDKMS API Key.
9297 properties:
9298 key:
9299 description: |-
9300 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9301 defaulted, in others it may be required.
9302 type: string
9303 name:
9304 description: The name of the Secret resource being referred to.
9305 type: string
9306 namespace:
9307 description: |-
9308 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9309 to the namespace of the referent.
9310 type: string
9311 type: object
9312 type: object
9313 apiUrl:
9314 description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
9315 type: string
9316 type: object
9317 gcpsm:
9318 description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
9319 properties:
9320 auth:
9321 description: Auth defines the information necessary to authenticate against GCP
9322 properties:
9323 secretRef:
9324 properties:
9325 secretAccessKeySecretRef:
9326 description: The SecretAccessKey is used for authentication
9327 properties:
9328 key:
9329 description: |-
9330 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9331 defaulted, in others it may be required.
9332 type: string
9333 name:
9334 description: The name of the Secret resource being referred to.
9335 type: string
9336 namespace:
9337 description: |-
9338 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9339 to the namespace of the referent.
9340 type: string
9341 type: object
9342 type: object
9343 workloadIdentity:
9344 properties:
9345 clusterLocation:
9346 type: string
9347 clusterName:
9348 type: string
9349 clusterProjectID:
9350 type: string
9351 serviceAccountRef:
9352 description: A reference to a ServiceAccount resource.
9353 properties:
9354 audiences:
9355 description: |-
9356 Audience specifies the `aud` claim for the service account token
9357 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
9358 then this audiences will be appended to the list
9359 items:
9360 type: string
9361 type: array
9362 name:
9363 description: The name of the ServiceAccount resource being referred to.
9364 type: string
9365 namespace:
9366 description: |-
9367 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9368 to the namespace of the referent.
9369 type: string
9370 required:
9371 - name
9372 type: object
9373 required:
9374 - clusterLocation
9375 - clusterName
9376 - serviceAccountRef
9377 type: object
9378 type: object
9379 projectID:
9380 description: ProjectID project where secret is located
9381 type: string
9382 type: object
9383 gitlab:
9384 description: GitLab configures this store to sync secrets using GitLab Variables provider
9385 properties:
9386 auth:
9387 description: Auth configures how secret-manager authenticates with a GitLab instance.
9388 properties:
9389 SecretRef:
9390 properties:
9391 accessToken:
9392 description: AccessToken is used for authentication.
9393 properties:
9394 key:
9395 description: |-
9396 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9397 defaulted, in others it may be required.
9398 type: string
9399 name:
9400 description: The name of the Secret resource being referred to.
9401 type: string
9402 namespace:
9403 description: |-
9404 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9405 to the namespace of the referent.
9406 type: string
9407 type: object
9408 type: object
9409 required:
9410 - SecretRef
9411 type: object
9412 environment:
9413 description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
9414 type: string
9415 groupIDs:
9416 description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
9417 items:
9418 type: string
9419 type: array
9420 inheritFromGroups:
9421 description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
9422 type: boolean
9423 projectID:
9424 description: ProjectID specifies a project where secrets are located.
9425 type: string
9426 url:
9427 description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
9428 type: string
9429 required:
9430 - auth
9431 type: object
9432 ibm:
9433 description: IBM configures this store to sync secrets using IBM Cloud provider
9434 properties:
9435 auth:
9436 description: Auth configures how secret-manager authenticates with the IBM secrets manager.
9437 maxProperties: 1
9438 minProperties: 1
9439 properties:
9440 containerAuth:
9441 description: IBM Container-based auth with IAM Trusted Profile.
9442 properties:
9443 iamEndpoint:
9444 type: string
9445 profile:
9446 description: the IBM Trusted Profile
9447 type: string
9448 tokenLocation:
9449 description: Location the token is mounted on the pod
9450 type: string
9451 required:
9452 - profile
9453 type: object
9454 secretRef:
9455 properties:
9456 secretApiKeySecretRef:
9457 description: The SecretAccessKey is used for authentication
9458 properties:
9459 key:
9460 description: |-
9461 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9462 defaulted, in others it may be required.
9463 type: string
9464 name:
9465 description: The name of the Secret resource being referred to.
9466 type: string
9467 namespace:
9468 description: |-
9469 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9470 to the namespace of the referent.
9471 type: string
9472 type: object
9473 type: object
9474 type: object
9475 serviceUrl:
9476 description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
9477 type: string
9478 required:
9479 - auth
9480 type: object
9481 keepersecurity:
9482 description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
9483 properties:
9484 authRef:
9485 description: |-
9486 A reference to a specific 'key' within a Secret resource,
9487 In some instances, `key` is a required field.
9488 properties:
9489 key:
9490 description: |-
9491 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9492 defaulted, in others it may be required.
9493 type: string
9494 name:
9495 description: The name of the Secret resource being referred to.
9496 type: string
9497 namespace:
9498 description: |-
9499 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9500 to the namespace of the referent.
9501 type: string
9502 type: object
9503 folderID:
9504 type: string
9505 required:
9506 - authRef
9507 - folderID
9508 type: object
9509 kubernetes:
9510 description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
9511 properties:
9512 auth:
9513 description: Auth configures how secret-manager authenticates with a Kubernetes instance.
9514 maxProperties: 1
9515 minProperties: 1
9516 properties:
9517 cert:
9518 description: has both clientCert and clientKey as secretKeySelector
9519 properties:
9520 clientCert:
9521 description: |-
9522 A reference to a specific 'key' within a Secret resource,
9523 In some instances, `key` is a required field.
9524 properties:
9525 key:
9526 description: |-
9527 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9528 defaulted, in others it may be required.
9529 type: string
9530 name:
9531 description: The name of the Secret resource being referred to.
9532 type: string
9533 namespace:
9534 description: |-
9535 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9536 to the namespace of the referent.
9537 type: string
9538 type: object
9539 clientKey:
9540 description: |-
9541 A reference to a specific 'key' within a Secret resource,
9542 In some instances, `key` is a required field.
9543 properties:
9544 key:
9545 description: |-
9546 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9547 defaulted, in others it may be required.
9548 type: string
9549 name:
9550 description: The name of the Secret resource being referred to.
9551 type: string
9552 namespace:
9553 description: |-
9554 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9555 to the namespace of the referent.
9556 type: string
9557 type: object
9558 type: object
9559 serviceAccount:
9560 description: points to a service account that should be used for authentication
9561 properties:
9562 audiences:
9563 description: |-
9564 Audience specifies the `aud` claim for the service account token
9565 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
9566 then this audiences will be appended to the list
9567 items:
9568 type: string
9569 type: array
9570 name:
9571 description: The name of the ServiceAccount resource being referred to.
9572 type: string
9573 namespace:
9574 description: |-
9575 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9576 to the namespace of the referent.
9577 type: string
9578 required:
9579 - name
9580 type: object
9581 token:
9582 description: use static token to authenticate with
9583 properties:
9584 bearerToken:
9585 description: |-
9586 A reference to a specific 'key' within a Secret resource,
9587 In some instances, `key` is a required field.
9588 properties:
9589 key:
9590 description: |-
9591 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9592 defaulted, in others it may be required.
9593 type: string
9594 name:
9595 description: The name of the Secret resource being referred to.
9596 type: string
9597 namespace:
9598 description: |-
9599 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9600 to the namespace of the referent.
9601 type: string
9602 type: object
9603 type: object
9604 type: object
9605 remoteNamespace:
9606 default: default
9607 description: Remote namespace to fetch the secrets from
9608 type: string
9609 server:
9610 description: configures the Kubernetes server Address.
9611 properties:
9612 caBundle:
9613 description: CABundle is a base64-encoded CA certificate
9614 format: byte
9615 type: string
9616 caProvider:
9617 description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
9618 properties:
9619 key:
9620 description: The key where the CA certificate can be found in the Secret or ConfigMap.
9621 type: string
9622 name:
9623 description: The name of the object located at the provider type.
9624 type: string
9625 namespace:
9626 description: |-
9627 The namespace the Provider type is in.
9628 Can only be defined when used in a ClusterSecretStore.
9629 type: string
9630 type:
9631 description: The type of provider to use such as "Secret", or "ConfigMap".
9632 enum:
9633 - Secret
9634 - ConfigMap
9635 type: string
9636 required:
9637 - name
9638 - type
9639 type: object
9640 url:
9641 default: kubernetes.default
9642 description: configures the Kubernetes server Address.
9643 type: string
9644 type: object
9645 required:
9646 - auth
9647 type: object
9648 onboardbase:
9649 description: Onboardbase configures this store to sync secrets using the Onboardbase provider
9650 properties:
9651 apiHost:
9652 default: https://public.onboardbase.com/api/v1/
9653 description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
9654 type: string
9655 auth:
9656 description: Auth configures how the Operator authenticates with the Onboardbase API
9657 properties:
9658 apiKeyRef:
9659 description: |-
9660 OnboardbaseAPIKey is the APIKey generated by an admin account.
9661 It is used to recognize and authorize access to a project and environment within onboardbase
9662 properties:
9663 key:
9664 description: |-
9665 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9666 defaulted, in others it may be required.
9667 type: string
9668 name:
9669 description: The name of the Secret resource being referred to.
9670 type: string
9671 namespace:
9672 description: |-
9673 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9674 to the namespace of the referent.
9675 type: string
9676 type: object
9677 passcodeRef:
9678 description: OnboardbasePasscode is the passcode attached to the API Key
9679 properties:
9680 key:
9681 description: |-
9682 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9683 defaulted, in others it may be required.
9684 type: string
9685 name:
9686 description: The name of the Secret resource being referred to.
9687 type: string
9688 namespace:
9689 description: |-
9690 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9691 to the namespace of the referent.
9692 type: string
9693 type: object
9694 required:
9695 - apiKeyRef
9696 - passcodeRef
9697 type: object
9698 environment:
9699 default: development
9700 description: Environment is the name of an environmnent within a project to pull the secrets from
9701 type: string
9702 project:
9703 default: development
9704 description: Project is an onboardbase project that the secrets should be pulled from
9705 type: string
9706 required:
9707 - apiHost
9708 - auth
9709 - environment
9710 - project
9711 type: object
9712 onepassword:
9713 description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
9714 properties:
9715 auth:
9716 description: Auth defines the information necessary to authenticate against OnePassword Connect Server
9717 properties:
9718 secretRef:
9719 description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
9720 properties:
9721 connectTokenSecretRef:
9722 description: The ConnectToken is used for authentication to a 1Password Connect Server.
9723 properties:
9724 key:
9725 description: |-
9726 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9727 defaulted, in others it may be required.
9728 type: string
9729 name:
9730 description: The name of the Secret resource being referred to.
9731 type: string
9732 namespace:
9733 description: |-
9734 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9735 to the namespace of the referent.
9736 type: string
9737 type: object
9738 required:
9739 - connectTokenSecretRef
9740 type: object
9741 required:
9742 - secretRef
9743 type: object
9744 connectHost:
9745 description: ConnectHost defines the OnePassword Connect Server to connect to
9746 type: string
9747 vaults:
9748 additionalProperties:
9749 type: integer
9750 description: Vaults defines which OnePassword vaults to search in which order
9751 type: object
9752 required:
9753 - auth
9754 - connectHost
9755 - vaults
9756 type: object
9757 oracle:
9758 description: Oracle configures this store to sync secrets using Oracle Vault provider
9759 properties:
9760 auth:
9761 description: |-
9762 Auth configures how secret-manager authenticates with the Oracle Vault.
9763 If empty, use the instance principal, otherwise the user credentials specified in Auth.
9764 properties:
9765 secretRef:
9766 description: SecretRef to pass through sensitive information.
9767 properties:
9768 fingerprint:
9769 description: Fingerprint is the fingerprint of the API private key.
9770 properties:
9771 key:
9772 description: |-
9773 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9774 defaulted, in others it may be required.
9775 type: string
9776 name:
9777 description: The name of the Secret resource being referred to.
9778 type: string
9779 namespace:
9780 description: |-
9781 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9782 to the namespace of the referent.
9783 type: string
9784 type: object
9785 privatekey:
9786 description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
9787 properties:
9788 key:
9789 description: |-
9790 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9791 defaulted, in others it may be required.
9792 type: string
9793 name:
9794 description: The name of the Secret resource being referred to.
9795 type: string
9796 namespace:
9797 description: |-
9798 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9799 to the namespace of the referent.
9800 type: string
9801 type: object
9802 required:
9803 - fingerprint
9804 - privatekey
9805 type: object
9806 tenancy:
9807 description: Tenancy is the tenancy OCID where user is located.
9808 type: string
9809 user:
9810 description: User is an access OCID specific to the account.
9811 type: string
9812 required:
9813 - secretRef
9814 - tenancy
9815 - user
9816 type: object
9817 compartment:
9818 description: |-
9819 Compartment is the vault compartment OCID.
9820 Required for PushSecret
9821 type: string
9822 encryptionKey:
9823 description: |-
9824 EncryptionKey is the OCID of the encryption key within the vault.
9825 Required for PushSecret
9826 type: string
9827 principalType:
9828 description: |-
9829 The type of principal to use for authentication. If left blank, the Auth struct will
9830 determine the principal type. This optional field must be specified if using
9831 workload identity.
9832 enum:
9833 - ""
9834 - UserPrincipal
9835 - InstancePrincipal
9836 - Workload
9837 type: string
9838 region:
9839 description: Region is the region where vault is located.
9840 type: string
9841 serviceAccountRef:
9842 description: |-
9843 ServiceAccountRef specified the service account
9844 that should be used when authenticating with WorkloadIdentity.
9845 properties:
9846 audiences:
9847 description: |-
9848 Audience specifies the `aud` claim for the service account token
9849 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
9850 then this audiences will be appended to the list
9851 items:
9852 type: string
9853 type: array
9854 name:
9855 description: The name of the ServiceAccount resource being referred to.
9856 type: string
9857 namespace:
9858 description: |-
9859 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9860 to the namespace of the referent.
9861 type: string
9862 required:
9863 - name
9864 type: object
9865 vault:
9866 description: Vault is the vault's OCID of the specific vault where secret is located.
9867 type: string
9868 required:
9869 - region
9870 - vault
9871 type: object
9872 passbolt:
9873 properties:
9874 auth:
9875 description: Auth defines the information necessary to authenticate against Passbolt Server
9876 properties:
9877 passwordSecretRef:
9878 description: |-
9879 A reference to a specific 'key' within a Secret resource,
9880 In some instances, `key` is a required field.
9881 properties:
9882 key:
9883 description: |-
9884 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9885 defaulted, in others it may be required.
9886 type: string
9887 name:
9888 description: The name of the Secret resource being referred to.
9889 type: string
9890 namespace:
9891 description: |-
9892 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9893 to the namespace of the referent.
9894 type: string
9895 type: object
9896 privateKeySecretRef:
9897 description: |-
9898 A reference to a specific 'key' within a Secret resource,
9899 In some instances, `key` is a required field.
9900 properties:
9901 key:
9902 description: |-
9903 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9904 defaulted, in others it may be required.
9905 type: string
9906 name:
9907 description: The name of the Secret resource being referred to.
9908 type: string
9909 namespace:
9910 description: |-
9911 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9912 to the namespace of the referent.
9913 type: string
9914 type: object
9915 required:
9916 - passwordSecretRef
9917 - privateKeySecretRef
9918 type: object
9919 host:
9920 description: Host defines the Passbolt Server to connect to
9921 type: string
9922 required:
9923 - auth
9924 - host
9925 type: object
9926 passworddepot:
9927 description: Configures a store to sync secrets with a Password Depot instance.
9928 properties:
9929 auth:
9930 description: Auth configures how secret-manager authenticates with a Password Depot instance.
9931 properties:
9932 secretRef:
9933 properties:
9934 credentials:
9935 description: Username / Password is used for authentication.
9936 properties:
9937 key:
9938 description: |-
9939 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9940 defaulted, in others it may be required.
9941 type: string
9942 name:
9943 description: The name of the Secret resource being referred to.
9944 type: string
9945 namespace:
9946 description: |-
9947 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9948 to the namespace of the referent.
9949 type: string
9950 type: object
9951 type: object
9952 required:
9953 - secretRef
9954 type: object
9955 database:
9956 description: Database to use as source
9957 type: string
9958 host:
9959 description: URL configures the Password Depot instance URL.
9960 type: string
9961 required:
9962 - auth
9963 - database
9964 - host
9965 type: object
9966 pulumi:
9967 description: Pulumi configures this store to sync secrets using the Pulumi provider
9968 properties:
9969 accessToken:
9970 description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
9971 properties:
9972 secretRef:
9973 description: SecretRef is a reference to a secret containing the Pulumi API token.
9974 properties:
9975 key:
9976 description: |-
9977 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
9978 defaulted, in others it may be required.
9979 type: string
9980 name:
9981 description: The name of the Secret resource being referred to.
9982 type: string
9983 namespace:
9984 description: |-
9985 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
9986 to the namespace of the referent.
9987 type: string
9988 type: object
9989 type: object
9990 apiUrl:
9991 default: https://api.pulumi.com
9992 description: APIURL is the URL of the Pulumi API.
9993 type: string
9994 environment:
9995 description: |-
9996 Environment are YAML documents composed of static key-value pairs, programmatic expressions,
9997 dynamically retrieved values from supported providers including all major clouds,
9998 and other Pulumi ESC environments.
9999 To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
10000 type: string
10001 organization:
10002 description: |-
10003 Organization are a space to collaborate on shared projects and stacks.
10004 To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
10005 type: string
10006 required:
10007 - accessToken
10008 - environment
10009 - organization
10010 type: object
10011 scaleway:
10012 description: Scaleway
10013 properties:
10014 accessKey:
10015 description: AccessKey is the non-secret part of the api key.
10016 properties:
10017 secretRef:
10018 description: SecretRef references a key in a secret that will be used as value.
10019 properties:
10020 key:
10021 description: |-
10022 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10023 defaulted, in others it may be required.
10024 type: string
10025 name:
10026 description: The name of the Secret resource being referred to.
10027 type: string
10028 namespace:
10029 description: |-
10030 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10031 to the namespace of the referent.
10032 type: string
10033 type: object
10034 value:
10035 description: Value can be specified directly to set a value without using a secret.
10036 type: string
10037 type: object
10038 apiUrl:
10039 description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
10040 type: string
10041 projectId:
10042 description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
10043 type: string
10044 region:
10045 description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
10046 type: string
10047 secretKey:
10048 description: SecretKey is the non-secret part of the api key.
10049 properties:
10050 secretRef:
10051 description: SecretRef references a key in a secret that will be used as value.
10052 properties:
10053 key:
10054 description: |-
10055 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10056 defaulted, in others it may be required.
10057 type: string
10058 name:
10059 description: The name of the Secret resource being referred to.
10060 type: string
10061 namespace:
10062 description: |-
10063 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10064 to the namespace of the referent.
10065 type: string
10066 type: object
10067 value:
10068 description: Value can be specified directly to set a value without using a secret.
10069 type: string
10070 type: object
10071 required:
10072 - accessKey
10073 - projectId
10074 - region
10075 - secretKey
10076 type: object
10077 senhasegura:
10078 description: Senhasegura configures this store to sync secrets using senhasegura provider
10079 properties:
10080 auth:
10081 description: Auth defines parameters to authenticate in senhasegura
10082 properties:
10083 clientId:
10084 type: string
10085 clientSecretSecretRef:
10086 description: |-
10087 A reference to a specific 'key' within a Secret resource,
10088 In some instances, `key` is a required field.
10089 properties:
10090 key:
10091 description: |-
10092 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10093 defaulted, in others it may be required.
10094 type: string
10095 name:
10096 description: The name of the Secret resource being referred to.
10097 type: string
10098 namespace:
10099 description: |-
10100 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10101 to the namespace of the referent.
10102 type: string
10103 type: object
10104 required:
10105 - clientId
10106 - clientSecretSecretRef
10107 type: object
10108 ignoreSslCertificate:
10109 default: false
10110 description: IgnoreSslCertificate defines if SSL certificate must be ignored
10111 type: boolean
10112 module:
10113 description: Module defines which senhasegura module should be used to get secrets
10114 type: string
10115 url:
10116 description: URL of senhasegura
10117 type: string
10118 required:
10119 - auth
10120 - module
10121 - url
10122 type: object
10123 vault:
10124 description: Vault configures this store to sync secrets using Hashi provider
10125 properties:
10126 auth:
10127 description: Auth configures how secret-manager authenticates with the Vault server.
10128 properties:
10129 appRole:
10130 description: |-
10131 AppRole authenticates with Vault using the App Role auth mechanism,
10132 with the role and secret stored in a Kubernetes Secret resource.
10133 properties:
10134 path:
10135 default: approle
10136 description: |-
10137 Path where the App Role authentication backend is mounted
10138 in Vault, e.g: "approle"
10139 type: string
10140 roleId:
10141 description: |-
10142 RoleID configured in the App Role authentication backend when setting
10143 up the authentication backend in Vault.
10144 type: string
10145 roleRef:
10146 description: |-
10147 Reference to a key in a Secret that contains the App Role ID used
10148 to authenticate with Vault.
10149 The `key` field must be specified and denotes which entry within the Secret
10150 resource is used as the app role id.
10151 properties:
10152 key:
10153 description: |-
10154 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10155 defaulted, in others it may be required.
10156 type: string
10157 name:
10158 description: The name of the Secret resource being referred to.
10159 type: string
10160 namespace:
10161 description: |-
10162 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10163 to the namespace of the referent.
10164 type: string
10165 type: object
10166 secretRef:
10167 description: |-
10168 Reference to a key in a Secret that contains the App Role secret used
10169 to authenticate with Vault.
10170 The `key` field must be specified and denotes which entry within the Secret
10171 resource is used as the app role secret.
10172 properties:
10173 key:
10174 description: |-
10175 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10176 defaulted, in others it may be required.
10177 type: string
10178 name:
10179 description: The name of the Secret resource being referred to.
10180 type: string
10181 namespace:
10182 description: |-
10183 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10184 to the namespace of the referent.
10185 type: string
10186 type: object
10187 required:
10188 - path
10189 - secretRef
10190 type: object
10191 cert:
10192 description: |-
10193 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
10194 Cert authentication method
10195 properties:
10196 clientCert:
10197 description: |-
10198 ClientCert is a certificate to authenticate using the Cert Vault
10199 authentication method
10200 properties:
10201 key:
10202 description: |-
10203 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10204 defaulted, in others it may be required.
10205 type: string
10206 name:
10207 description: The name of the Secret resource being referred to.
10208 type: string
10209 namespace:
10210 description: |-
10211 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10212 to the namespace of the referent.
10213 type: string
10214 type: object
10215 secretRef:
10216 description: |-
10217 SecretRef to a key in a Secret resource containing client private key to
10218 authenticate with Vault using the Cert authentication method
10219 properties:
10220 key:
10221 description: |-
10222 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10223 defaulted, in others it may be required.
10224 type: string
10225 name:
10226 description: The name of the Secret resource being referred to.
10227 type: string
10228 namespace:
10229 description: |-
10230 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10231 to the namespace of the referent.
10232 type: string
10233 type: object
10234 type: object
10235 iam:
10236 description: |-
10237 Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
10238 AWS IAM authentication method
10239 properties:
10240 externalID:
10241 description: AWS External ID set on assumed IAM roles
10242 type: string
10243 jwt:
10244 description: Specify a service account with IRSA enabled
10245 properties:
10246 serviceAccountRef:
10247 description: A reference to a ServiceAccount resource.
10248 properties:
10249 audiences:
10250 description: |-
10251 Audience specifies the `aud` claim for the service account token
10252 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
10253 then this audiences will be appended to the list
10254 items:
10255 type: string
10256 type: array
10257 name:
10258 description: The name of the ServiceAccount resource being referred to.
10259 type: string
10260 namespace:
10261 description: |-
10262 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10263 to the namespace of the referent.
10264 type: string
10265 required:
10266 - name
10267 type: object
10268 type: object
10269 path:
10270 description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
10271 type: string
10272 region:
10273 description: AWS region
10274 type: string
10275 role:
10276 description: This is the AWS role to be assumed before talking to vault
10277 type: string
10278 secretRef:
10279 description: Specify credentials in a Secret object
10280 properties:
10281 accessKeyIDSecretRef:
10282 description: The AccessKeyID is used for authentication
10283 properties:
10284 key:
10285 description: |-
10286 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10287 defaulted, in others it may be required.
10288 type: string
10289 name:
10290 description: The name of the Secret resource being referred to.
10291 type: string
10292 namespace:
10293 description: |-
10294 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10295 to the namespace of the referent.
10296 type: string
10297 type: object
10298 secretAccessKeySecretRef:
10299 description: The SecretAccessKey is used for authentication
10300 properties:
10301 key:
10302 description: |-
10303 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10304 defaulted, in others it may be required.
10305 type: string
10306 name:
10307 description: The name of the Secret resource being referred to.
10308 type: string
10309 namespace:
10310 description: |-
10311 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10312 to the namespace of the referent.
10313 type: string
10314 type: object
10315 sessionTokenSecretRef:
10316 description: |-
10317 The SessionToken used for authentication
10318 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
10319 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
10320 properties:
10321 key:
10322 description: |-
10323 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10324 defaulted, in others it may be required.
10325 type: string
10326 name:
10327 description: The name of the Secret resource being referred to.
10328 type: string
10329 namespace:
10330 description: |-
10331 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10332 to the namespace of the referent.
10333 type: string
10334 type: object
10335 type: object
10336 vaultAwsIamServerID:
10337 description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
10338 type: string
10339 vaultRole:
10340 description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
10341 type: string
10342 required:
10343 - vaultRole
10344 type: object
10345 jwt:
10346 description: |-
10347 Jwt authenticates with Vault by passing role and JWT token using the
10348 JWT/OIDC authentication method
10349 properties:
10350 kubernetesServiceAccountToken:
10351 description: |-
10352 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
10353 a token for with the `TokenRequest` API.
10354 properties:
10355 audiences:
10356 description: |-
10357 Optional audiences field that will be used to request a temporary Kubernetes service
10358 account token for the service account referenced by `serviceAccountRef`.
10359 Defaults to a single audience `vault` it not specified.
10360 Deprecated: use serviceAccountRef.Audiences instead
10361 items:
10362 type: string
10363 type: array
10364 expirationSeconds:
10365 description: |-
10366 Optional expiration time in seconds that will be used to request a temporary
10367 Kubernetes service account token for the service account referenced by
10368 `serviceAccountRef`.
10369 Deprecated: this will be removed in the future.
10370 Defaults to 10 minutes.
10371 format: int64
10372 type: integer
10373 serviceAccountRef:
10374 description: Service account field containing the name of a kubernetes ServiceAccount.
10375 properties:
10376 audiences:
10377 description: |-
10378 Audience specifies the `aud` claim for the service account token
10379 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
10380 then this audiences will be appended to the list
10381 items:
10382 type: string
10383 type: array
10384 name:
10385 description: The name of the ServiceAccount resource being referred to.
10386 type: string
10387 namespace:
10388 description: |-
10389 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10390 to the namespace of the referent.
10391 type: string
10392 required:
10393 - name
10394 type: object
10395 required:
10396 - serviceAccountRef
10397 type: object
10398 path:
10399 default: jwt
10400 description: |-
10401 Path where the JWT authentication backend is mounted
10402 in Vault, e.g: "jwt"
10403 type: string
10404 role:
10405 description: |-
10406 Role is a JWT role to authenticate using the JWT/OIDC Vault
10407 authentication method
10408 type: string
10409 secretRef:
10410 description: |-
10411 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
10412 authenticate with Vault using the JWT/OIDC authentication method.
10413 properties:
10414 key:
10415 description: |-
10416 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10417 defaulted, in others it may be required.
10418 type: string
10419 name:
10420 description: The name of the Secret resource being referred to.
10421 type: string
10422 namespace:
10423 description: |-
10424 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10425 to the namespace of the referent.
10426 type: string
10427 type: object
10428 required:
10429 - path
10430 type: object
10431 kubernetes:
10432 description: |-
10433 Kubernetes authenticates with Vault by passing the ServiceAccount
10434 token stored in the named Secret resource to the Vault server.
10435 properties:
10436 mountPath:
10437 default: kubernetes
10438 description: |-
10439 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
10440 "kubernetes"
10441 type: string
10442 role:
10443 description: |-
10444 A required field containing the Vault Role to assume. A Role binds a
10445 Kubernetes ServiceAccount with a set of Vault policies.
10446 type: string
10447 secretRef:
10448 description: |-
10449 Optional secret field containing a Kubernetes ServiceAccount JWT used
10450 for authenticating with Vault. If a name is specified without a key,
10451 `token` is the default. If one is not specified, the one bound to
10452 the controller will be used.
10453 properties:
10454 key:
10455 description: |-
10456 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10457 defaulted, in others it may be required.
10458 type: string
10459 name:
10460 description: The name of the Secret resource being referred to.
10461 type: string
10462 namespace:
10463 description: |-
10464 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10465 to the namespace of the referent.
10466 type: string
10467 type: object
10468 serviceAccountRef:
10469 description: |-
10470 Optional service account field containing the name of a kubernetes ServiceAccount.
10471 If the service account is specified, the service account secret token JWT will be used
10472 for authenticating with Vault. If the service account selector is not supplied,
10473 the secretRef will be used instead.
10474 properties:
10475 audiences:
10476 description: |-
10477 Audience specifies the `aud` claim for the service account token
10478 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
10479 then this audiences will be appended to the list
10480 items:
10481 type: string
10482 type: array
10483 name:
10484 description: The name of the ServiceAccount resource being referred to.
10485 type: string
10486 namespace:
10487 description: |-
10488 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10489 to the namespace of the referent.
10490 type: string
10491 required:
10492 - name
10493 type: object
10494 required:
10495 - mountPath
10496 - role
10497 type: object
10498 ldap:
10499 description: |-
10500 Ldap authenticates with Vault by passing username/password pair using
10501 the LDAP authentication method
10502 properties:
10503 path:
10504 default: ldap
10505 description: |-
10506 Path where the LDAP authentication backend is mounted
10507 in Vault, e.g: "ldap"
10508 type: string
10509 secretRef:
10510 description: |-
10511 SecretRef to a key in a Secret resource containing password for the LDAP
10512 user used to authenticate with Vault using the LDAP authentication
10513 method
10514 properties:
10515 key:
10516 description: |-
10517 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10518 defaulted, in others it may be required.
10519 type: string
10520 name:
10521 description: The name of the Secret resource being referred to.
10522 type: string
10523 namespace:
10524 description: |-
10525 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10526 to the namespace of the referent.
10527 type: string
10528 type: object
10529 username:
10530 description: |-
10531 Username is a LDAP user name used to authenticate using the LDAP Vault
10532 authentication method
10533 type: string
10534 required:
10535 - path
10536 - username
10537 type: object
10538 namespace:
10539 description: |-
10540 Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
10541 Namespaces is a set of features within Vault Enterprise that allows
10542 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
10543 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
10544 This will default to Vault.Namespace field if set, or empty otherwise
10545 type: string
10546 tokenSecretRef:
10547 description: TokenSecretRef authenticates with Vault by presenting a token.
10548 properties:
10549 key:
10550 description: |-
10551 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10552 defaulted, in others it may be required.
10553 type: string
10554 name:
10555 description: The name of the Secret resource being referred to.
10556 type: string
10557 namespace:
10558 description: |-
10559 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10560 to the namespace of the referent.
10561 type: string
10562 type: object
10563 userPass:
10564 description: UserPass authenticates with Vault by passing username/password pair
10565 properties:
10566 path:
10567 default: user
10568 description: |-
10569 Path where the UserPassword authentication backend is mounted
10570 in Vault, e.g: "user"
10571 type: string
10572 secretRef:
10573 description: |-
10574 SecretRef to a key in a Secret resource containing password for the
10575 user used to authenticate with Vault using the UserPass authentication
10576 method
10577 properties:
10578 key:
10579 description: |-
10580 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10581 defaulted, in others it may be required.
10582 type: string
10583 name:
10584 description: The name of the Secret resource being referred to.
10585 type: string
10586 namespace:
10587 description: |-
10588 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10589 to the namespace of the referent.
10590 type: string
10591 type: object
10592 username:
10593 description: |-
10594 Username is a user name used to authenticate using the UserPass Vault
10595 authentication method
10596 type: string
10597 required:
10598 - path
10599 - username
10600 type: object
10601 type: object
10602 caBundle:
10603 description: |-
10604 PEM encoded CA bundle used to validate Vault server certificate. Only used
10605 if the Server URL is using HTTPS protocol. This parameter is ignored for
10606 plain HTTP protocol connection. If not set the system root certificates
10607 are used to validate the TLS connection.
10608 format: byte
10609 type: string
10610 caProvider:
10611 description: The provider for the CA bundle to use to validate Vault server certificate.
10612 properties:
10613 key:
10614 description: The key where the CA certificate can be found in the Secret or ConfigMap.
10615 type: string
10616 name:
10617 description: The name of the object located at the provider type.
10618 type: string
10619 namespace:
10620 description: |-
10621 The namespace the Provider type is in.
10622 Can only be defined when used in a ClusterSecretStore.
10623 type: string
10624 type:
10625 description: The type of provider to use such as "Secret", or "ConfigMap".
10626 enum:
10627 - Secret
10628 - ConfigMap
10629 type: string
10630 required:
10631 - name
10632 - type
10633 type: object
10634 forwardInconsistent:
10635 description: |-
10636 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
10637 leader instead of simply retrying within a loop. This can increase performance if
10638 the option is enabled serverside.
10639 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
10640 type: boolean
10641 namespace:
10642 description: |-
10643 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
10644 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
10645 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
10646 type: string
10647 path:
10648 description: |-
10649 Path is the mount path of the Vault KV backend endpoint, e.g:
10650 "secret". The v2 KV secret engine version specific "/data" path suffix
10651 for fetching secrets from Vault is optional and will be appended
10652 if not present in specified path.
10653 type: string
10654 readYourWrites:
10655 description: |-
10656 ReadYourWrites ensures isolated read-after-write semantics by
10657 providing discovered cluster replication states in each request.
10658 More information about eventual consistency in Vault can be found here
10659 https://www.vaultproject.io/docs/enterprise/consistency
10660 type: boolean
10661 server:
10662 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
10663 type: string
10664 tls:
10665 description: |-
10666 The configuration used for client side related TLS communication, when the Vault server
10667 requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
10668 This parameter is ignored for plain HTTP protocol connection.
10669 It's worth noting this configuration is different from the "TLS certificates auth method",
10670 which is available under the `auth.cert` section.
10671 properties:
10672 certSecretRef:
10673 description: |-
10674 CertSecretRef is a certificate added to the transport layer
10675 when communicating with the Vault server.
10676 If no key for the Secret is specified, external-secret will default to 'tls.crt'.
10677 properties:
10678 key:
10679 description: |-
10680 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10681 defaulted, in others it may be required.
10682 type: string
10683 name:
10684 description: The name of the Secret resource being referred to.
10685 type: string
10686 namespace:
10687 description: |-
10688 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10689 to the namespace of the referent.
10690 type: string
10691 type: object
10692 keySecretRef:
10693 description: |-
10694 KeySecretRef to a key in a Secret resource containing client private key
10695 added to the transport layer when communicating with the Vault server.
10696 If no key for the Secret is specified, external-secret will default to 'tls.key'.
10697 properties:
10698 key:
10699 description: |-
10700 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10701 defaulted, in others it may be required.
10702 type: string
10703 name:
10704 description: The name of the Secret resource being referred to.
10705 type: string
10706 namespace:
10707 description: |-
10708 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10709 to the namespace of the referent.
10710 type: string
10711 type: object
10712 type: object
10713 version:
10714 default: v2
10715 description: |-
10716 Version is the Vault KV secret engine version. This can be either "v1" or
10717 "v2". Version defaults to "v2".
10718 enum:
10719 - v1
10720 - v2
10721 type: string
10722 required:
10723 - auth
10724 - server
10725 type: object
10726 webhook:
10727 description: Webhook configures this store to sync secrets using a generic templated webhook
10728 properties:
10729 body:
10730 description: Body
10731 type: string
10732 caBundle:
10733 description: |-
10734 PEM encoded CA bundle used to validate webhook server certificate. Only used
10735 if the Server URL is using HTTPS protocol. This parameter is ignored for
10736 plain HTTP protocol connection. If not set the system root certificates
10737 are used to validate the TLS connection.
10738 format: byte
10739 type: string
10740 caProvider:
10741 description: The provider for the CA bundle to use to validate webhook server certificate.
10742 properties:
10743 key:
10744 description: The key the value inside of the provider type to use, only used with "Secret" type
10745 type: string
10746 name:
10747 description: The name of the object located at the provider type.
10748 type: string
10749 namespace:
10750 description: The namespace the Provider type is in.
10751 type: string
10752 type:
10753 description: The type of provider to use such as "Secret", or "ConfigMap".
10754 enum:
10755 - Secret
10756 - ConfigMap
10757 type: string
10758 required:
10759 - name
10760 - type
10761 type: object
10762 headers:
10763 additionalProperties:
10764 type: string
10765 description: Headers
10766 type: object
10767 method:
10768 description: Webhook Method
10769 type: string
10770 result:
10771 description: Result formatting
10772 properties:
10773 jsonPath:
10774 description: Json path of return value
10775 type: string
10776 type: object
10777 secrets:
10778 description: |-
10779 Secrets to fill in templates
10780 These secrets will be passed to the templating function as key value pairs under the given name
10781 items:
10782 properties:
10783 name:
10784 description: Name of this secret in templates
10785 type: string
10786 secretRef:
10787 description: Secret ref to fill in credentials
10788 properties:
10789 key:
10790 description: |-
10791 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10792 defaulted, in others it may be required.
10793 type: string
10794 name:
10795 description: The name of the Secret resource being referred to.
10796 type: string
10797 namespace:
10798 description: |-
10799 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10800 to the namespace of the referent.
10801 type: string
10802 type: object
10803 required:
10804 - name
10805 - secretRef
10806 type: object
10807 type: array
10808 timeout:
10809 description: Timeout
10810 type: string
10811 url:
10812 description: Webhook url to call
10813 type: string
10814 required:
10815 - result
10816 - url
10817 type: object
10818 yandexcertificatemanager:
10819 description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
10820 properties:
10821 apiEndpoint:
10822 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
10823 type: string
10824 auth:
10825 description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
10826 properties:
10827 authorizedKeySecretRef:
10828 description: The authorized key used for authentication
10829 properties:
10830 key:
10831 description: |-
10832 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10833 defaulted, in others it may be required.
10834 type: string
10835 name:
10836 description: The name of the Secret resource being referred to.
10837 type: string
10838 namespace:
10839 description: |-
10840 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10841 to the namespace of the referent.
10842 type: string
10843 type: object
10844 type: object
10845 caProvider:
10846 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
10847 properties:
10848 certSecretRef:
10849 description: |-
10850 A reference to a specific 'key' within a Secret resource,
10851 In some instances, `key` is a required field.
10852 properties:
10853 key:
10854 description: |-
10855 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10856 defaulted, in others it may be required.
10857 type: string
10858 name:
10859 description: The name of the Secret resource being referred to.
10860 type: string
10861 namespace:
10862 description: |-
10863 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10864 to the namespace of the referent.
10865 type: string
10866 type: object
10867 type: object
10868 required:
10869 - auth
10870 type: object
10871 yandexlockbox:
10872 description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
10873 properties:
10874 apiEndpoint:
10875 description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
10876 type: string
10877 auth:
10878 description: Auth defines the information necessary to authenticate against Yandex Lockbox
10879 properties:
10880 authorizedKeySecretRef:
10881 description: The authorized key used for authentication
10882 properties:
10883 key:
10884 description: |-
10885 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10886 defaulted, in others it may be required.
10887 type: string
10888 name:
10889 description: The name of the Secret resource being referred to.
10890 type: string
10891 namespace:
10892 description: |-
10893 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10894 to the namespace of the referent.
10895 type: string
10896 type: object
10897 type: object
10898 caProvider:
10899 description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
10900 properties:
10901 certSecretRef:
10902 description: |-
10903 A reference to a specific 'key' within a Secret resource,
10904 In some instances, `key` is a required field.
10905 properties:
10906 key:
10907 description: |-
10908 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
10909 defaulted, in others it may be required.
10910 type: string
10911 name:
10912 description: The name of the Secret resource being referred to.
10913 type: string
10914 namespace:
10915 description: |-
10916 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
10917 to the namespace of the referent.
10918 type: string
10919 type: object
10920 type: object
10921 required:
10922 - auth
10923 type: object
10924 type: object
10925 refreshInterval:
10926 description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
10927 type: integer
10928 retrySettings:
10929 description: Used to configure http retries if failed
10930 properties:
10931 maxRetries:
10932 format: int32
10933 type: integer
10934 retryInterval:
10935 type: string
10936 type: object
10937 required:
10938 - provider
10939 type: object
10940 status:
10941 description: SecretStoreStatus defines the observed state of the SecretStore.
10942 properties:
10943 capabilities:
10944 description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
10945 type: string
10946 conditions:
10947 items:
10948 properties:
10949 lastTransitionTime:
10950 format: date-time
10951 type: string
10952 message:
10953 type: string
10954 reason:
10955 type: string
10956 status:
10957 type: string
10958 type:
10959 type: string
10960 required:
10961 - status
10962 - type
10963 type: object
10964 type: array
10965 type: object
10966 type: object
10967 served: true
10968 storage: true
10969 subresources:
10970 status: {}
10971 conversion:
10972 strategy: Webhook
10973 webhook:
10974 conversionReviewVersions:
10975 - v1
10976 clientConfig:
10977 service:
10978 name: external-secrets-webhook
10979 namespace: "default"
10980 path: /convert
10981---
10982# Source: external-secrets/templates/crds/vaultdynamicsecret.yaml
10983apiVersion: apiextensions.k8s.io/v1
10984kind: CustomResourceDefinition
10985metadata:
10986 annotations:
10987 controller-gen.kubebuilder.io/version: v0.14.0
10988 name: vaultdynamicsecrets.generators.external-secrets.io
10989spec:
10990 group: generators.external-secrets.io
10991 names:
10992 categories:
10993 - vaultdynamicsecret
10994 kind: VaultDynamicSecret
10995 listKind: VaultDynamicSecretList
10996 plural: vaultdynamicsecrets
10997 shortNames:
10998 - vaultdynamicsecret
10999 singular: vaultdynamicsecret
11000 scope: Namespaced
11001 versions:
11002 - name: v1alpha1
11003 schema:
11004 openAPIV3Schema:
11005 properties:
11006 apiVersion:
11007 description: |-
11008 APIVersion defines the versioned schema of this representation of an object.
11009 Servers should convert recognized schemas to the latest internal value, and
11010 may reject unrecognized values.
11011 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
11012 type: string
11013 kind:
11014 description: |-
11015 Kind is a string value representing the REST resource this object represents.
11016 Servers may infer this from the endpoint the client submits requests to.
11017 Cannot be updated.
11018 In CamelCase.
11019 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
11020 type: string
11021 metadata:
11022 type: object
11023 spec:
11024 properties:
11025 controller:
11026 description: |-
11027 Used to select the correct ESO controller (think: ingress.ingressClassName)
11028 The ESO controller is instantiated with a specific controller name and filters VDS based on this property
11029 type: string
11030 method:
11031 description: Vault API method to use (GET/POST/other)
11032 type: string
11033 parameters:
11034 description: Parameters to pass to Vault write (for non-GET methods)
11035 x-kubernetes-preserve-unknown-fields: true
11036 path:
11037 description: Vault path to obtain the dynamic secret from
11038 type: string
11039 provider:
11040 description: Vault provider common spec
11041 properties:
11042 auth:
11043 description: Auth configures how secret-manager authenticates with the Vault server.
11044 properties:
11045 appRole:
11046 description: |-
11047 AppRole authenticates with Vault using the App Role auth mechanism,
11048 with the role and secret stored in a Kubernetes Secret resource.
11049 properties:
11050 path:
11051 default: approle
11052 description: |-
11053 Path where the App Role authentication backend is mounted
11054 in Vault, e.g: "approle"
11055 type: string
11056 roleId:
11057 description: |-
11058 RoleID configured in the App Role authentication backend when setting
11059 up the authentication backend in Vault.
11060 type: string
11061 roleRef:
11062 description: |-
11063 Reference to a key in a Secret that contains the App Role ID used
11064 to authenticate with Vault.
11065 The `key` field must be specified and denotes which entry within the Secret
11066 resource is used as the app role id.
11067 properties:
11068 key:
11069 description: |-
11070 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11071 defaulted, in others it may be required.
11072 type: string
11073 name:
11074 description: The name of the Secret resource being referred to.
11075 type: string
11076 namespace:
11077 description: |-
11078 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11079 to the namespace of the referent.
11080 type: string
11081 type: object
11082 secretRef:
11083 description: |-
11084 Reference to a key in a Secret that contains the App Role secret used
11085 to authenticate with Vault.
11086 The `key` field must be specified and denotes which entry within the Secret
11087 resource is used as the app role secret.
11088 properties:
11089 key:
11090 description: |-
11091 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11092 defaulted, in others it may be required.
11093 type: string
11094 name:
11095 description: The name of the Secret resource being referred to.
11096 type: string
11097 namespace:
11098 description: |-
11099 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11100 to the namespace of the referent.
11101 type: string
11102 type: object
11103 required:
11104 - path
11105 - secretRef
11106 type: object
11107 cert:
11108 description: |-
11109 Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
11110 Cert authentication method
11111 properties:
11112 clientCert:
11113 description: |-
11114 ClientCert is a certificate to authenticate using the Cert Vault
11115 authentication method
11116 properties:
11117 key:
11118 description: |-
11119 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11120 defaulted, in others it may be required.
11121 type: string
11122 name:
11123 description: The name of the Secret resource being referred to.
11124 type: string
11125 namespace:
11126 description: |-
11127 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11128 to the namespace of the referent.
11129 type: string
11130 type: object
11131 secretRef:
11132 description: |-
11133 SecretRef to a key in a Secret resource containing client private key to
11134 authenticate with Vault using the Cert authentication method
11135 properties:
11136 key:
11137 description: |-
11138 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11139 defaulted, in others it may be required.
11140 type: string
11141 name:
11142 description: The name of the Secret resource being referred to.
11143 type: string
11144 namespace:
11145 description: |-
11146 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11147 to the namespace of the referent.
11148 type: string
11149 type: object
11150 type: object
11151 iam:
11152 description: |-
11153 Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
11154 AWS IAM authentication method
11155 properties:
11156 externalID:
11157 description: AWS External ID set on assumed IAM roles
11158 type: string
11159 jwt:
11160 description: Specify a service account with IRSA enabled
11161 properties:
11162 serviceAccountRef:
11163 description: A reference to a ServiceAccount resource.
11164 properties:
11165 audiences:
11166 description: |-
11167 Audience specifies the `aud` claim for the service account token
11168 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
11169 then this audiences will be appended to the list
11170 items:
11171 type: string
11172 type: array
11173 name:
11174 description: The name of the ServiceAccount resource being referred to.
11175 type: string
11176 namespace:
11177 description: |-
11178 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11179 to the namespace of the referent.
11180 type: string
11181 required:
11182 - name
11183 type: object
11184 type: object
11185 path:
11186 description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
11187 type: string
11188 region:
11189 description: AWS region
11190 type: string
11191 role:
11192 description: This is the AWS role to be assumed before talking to vault
11193 type: string
11194 secretRef:
11195 description: Specify credentials in a Secret object
11196 properties:
11197 accessKeyIDSecretRef:
11198 description: The AccessKeyID is used for authentication
11199 properties:
11200 key:
11201 description: |-
11202 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11203 defaulted, in others it may be required.
11204 type: string
11205 name:
11206 description: The name of the Secret resource being referred to.
11207 type: string
11208 namespace:
11209 description: |-
11210 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11211 to the namespace of the referent.
11212 type: string
11213 type: object
11214 secretAccessKeySecretRef:
11215 description: The SecretAccessKey is used for authentication
11216 properties:
11217 key:
11218 description: |-
11219 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11220 defaulted, in others it may be required.
11221 type: string
11222 name:
11223 description: The name of the Secret resource being referred to.
11224 type: string
11225 namespace:
11226 description: |-
11227 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11228 to the namespace of the referent.
11229 type: string
11230 type: object
11231 sessionTokenSecretRef:
11232 description: |-
11233 The SessionToken used for authentication
11234 This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
11235 see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
11236 properties:
11237 key:
11238 description: |-
11239 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11240 defaulted, in others it may be required.
11241 type: string
11242 name:
11243 description: The name of the Secret resource being referred to.
11244 type: string
11245 namespace:
11246 description: |-
11247 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11248 to the namespace of the referent.
11249 type: string
11250 type: object
11251 type: object
11252 vaultAwsIamServerID:
11253 description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
11254 type: string
11255 vaultRole:
11256 description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
11257 type: string
11258 required:
11259 - vaultRole
11260 type: object
11261 jwt:
11262 description: |-
11263 Jwt authenticates with Vault by passing role and JWT token using the
11264 JWT/OIDC authentication method
11265 properties:
11266 kubernetesServiceAccountToken:
11267 description: |-
11268 Optional ServiceAccountToken specifies the Kubernetes service account for which to request
11269 a token for with the `TokenRequest` API.
11270 properties:
11271 audiences:
11272 description: |-
11273 Optional audiences field that will be used to request a temporary Kubernetes service
11274 account token for the service account referenced by `serviceAccountRef`.
11275 Defaults to a single audience `vault` it not specified.
11276 Deprecated: use serviceAccountRef.Audiences instead
11277 items:
11278 type: string
11279 type: array
11280 expirationSeconds:
11281 description: |-
11282 Optional expiration time in seconds that will be used to request a temporary
11283 Kubernetes service account token for the service account referenced by
11284 `serviceAccountRef`.
11285 Deprecated: this will be removed in the future.
11286 Defaults to 10 minutes.
11287 format: int64
11288 type: integer
11289 serviceAccountRef:
11290 description: Service account field containing the name of a kubernetes ServiceAccount.
11291 properties:
11292 audiences:
11293 description: |-
11294 Audience specifies the `aud` claim for the service account token
11295 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
11296 then this audiences will be appended to the list
11297 items:
11298 type: string
11299 type: array
11300 name:
11301 description: The name of the ServiceAccount resource being referred to.
11302 type: string
11303 namespace:
11304 description: |-
11305 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11306 to the namespace of the referent.
11307 type: string
11308 required:
11309 - name
11310 type: object
11311 required:
11312 - serviceAccountRef
11313 type: object
11314 path:
11315 default: jwt
11316 description: |-
11317 Path where the JWT authentication backend is mounted
11318 in Vault, e.g: "jwt"
11319 type: string
11320 role:
11321 description: |-
11322 Role is a JWT role to authenticate using the JWT/OIDC Vault
11323 authentication method
11324 type: string
11325 secretRef:
11326 description: |-
11327 Optional SecretRef that refers to a key in a Secret resource containing JWT token to
11328 authenticate with Vault using the JWT/OIDC authentication method.
11329 properties:
11330 key:
11331 description: |-
11332 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11333 defaulted, in others it may be required.
11334 type: string
11335 name:
11336 description: The name of the Secret resource being referred to.
11337 type: string
11338 namespace:
11339 description: |-
11340 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11341 to the namespace of the referent.
11342 type: string
11343 type: object
11344 required:
11345 - path
11346 type: object
11347 kubernetes:
11348 description: |-
11349 Kubernetes authenticates with Vault by passing the ServiceAccount
11350 token stored in the named Secret resource to the Vault server.
11351 properties:
11352 mountPath:
11353 default: kubernetes
11354 description: |-
11355 Path where the Kubernetes authentication backend is mounted in Vault, e.g:
11356 "kubernetes"
11357 type: string
11358 role:
11359 description: |-
11360 A required field containing the Vault Role to assume. A Role binds a
11361 Kubernetes ServiceAccount with a set of Vault policies.
11362 type: string
11363 secretRef:
11364 description: |-
11365 Optional secret field containing a Kubernetes ServiceAccount JWT used
11366 for authenticating with Vault. If a name is specified without a key,
11367 `token` is the default. If one is not specified, the one bound to
11368 the controller will be used.
11369 properties:
11370 key:
11371 description: |-
11372 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11373 defaulted, in others it may be required.
11374 type: string
11375 name:
11376 description: The name of the Secret resource being referred to.
11377 type: string
11378 namespace:
11379 description: |-
11380 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11381 to the namespace of the referent.
11382 type: string
11383 type: object
11384 serviceAccountRef:
11385 description: |-
11386 Optional service account field containing the name of a kubernetes ServiceAccount.
11387 If the service account is specified, the service account secret token JWT will be used
11388 for authenticating with Vault. If the service account selector is not supplied,
11389 the secretRef will be used instead.
11390 properties:
11391 audiences:
11392 description: |-
11393 Audience specifies the `aud` claim for the service account token
11394 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
11395 then this audiences will be appended to the list
11396 items:
11397 type: string
11398 type: array
11399 name:
11400 description: The name of the ServiceAccount resource being referred to.
11401 type: string
11402 namespace:
11403 description: |-
11404 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11405 to the namespace of the referent.
11406 type: string
11407 required:
11408 - name
11409 type: object
11410 required:
11411 - mountPath
11412 - role
11413 type: object
11414 ldap:
11415 description: |-
11416 Ldap authenticates with Vault by passing username/password pair using
11417 the LDAP authentication method
11418 properties:
11419 path:
11420 default: ldap
11421 description: |-
11422 Path where the LDAP authentication backend is mounted
11423 in Vault, e.g: "ldap"
11424 type: string
11425 secretRef:
11426 description: |-
11427 SecretRef to a key in a Secret resource containing password for the LDAP
11428 user used to authenticate with Vault using the LDAP authentication
11429 method
11430 properties:
11431 key:
11432 description: |-
11433 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11434 defaulted, in others it may be required.
11435 type: string
11436 name:
11437 description: The name of the Secret resource being referred to.
11438 type: string
11439 namespace:
11440 description: |-
11441 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11442 to the namespace of the referent.
11443 type: string
11444 type: object
11445 username:
11446 description: |-
11447 Username is a LDAP user name used to authenticate using the LDAP Vault
11448 authentication method
11449 type: string
11450 required:
11451 - path
11452 - username
11453 type: object
11454 namespace:
11455 description: |-
11456 Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
11457 Namespaces is a set of features within Vault Enterprise that allows
11458 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
11459 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
11460 This will default to Vault.Namespace field if set, or empty otherwise
11461 type: string
11462 tokenSecretRef:
11463 description: TokenSecretRef authenticates with Vault by presenting a token.
11464 properties:
11465 key:
11466 description: |-
11467 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11468 defaulted, in others it may be required.
11469 type: string
11470 name:
11471 description: The name of the Secret resource being referred to.
11472 type: string
11473 namespace:
11474 description: |-
11475 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11476 to the namespace of the referent.
11477 type: string
11478 type: object
11479 userPass:
11480 description: UserPass authenticates with Vault by passing username/password pair
11481 properties:
11482 path:
11483 default: user
11484 description: |-
11485 Path where the UserPassword authentication backend is mounted
11486 in Vault, e.g: "user"
11487 type: string
11488 secretRef:
11489 description: |-
11490 SecretRef to a key in a Secret resource containing password for the
11491 user used to authenticate with Vault using the UserPass authentication
11492 method
11493 properties:
11494 key:
11495 description: |-
11496 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11497 defaulted, in others it may be required.
11498 type: string
11499 name:
11500 description: The name of the Secret resource being referred to.
11501 type: string
11502 namespace:
11503 description: |-
11504 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11505 to the namespace of the referent.
11506 type: string
11507 type: object
11508 username:
11509 description: |-
11510 Username is a user name used to authenticate using the UserPass Vault
11511 authentication method
11512 type: string
11513 required:
11514 - path
11515 - username
11516 type: object
11517 type: object
11518 caBundle:
11519 description: |-
11520 PEM encoded CA bundle used to validate Vault server certificate. Only used
11521 if the Server URL is using HTTPS protocol. This parameter is ignored for
11522 plain HTTP protocol connection. If not set the system root certificates
11523 are used to validate the TLS connection.
11524 format: byte
11525 type: string
11526 caProvider:
11527 description: The provider for the CA bundle to use to validate Vault server certificate.
11528 properties:
11529 key:
11530 description: The key where the CA certificate can be found in the Secret or ConfigMap.
11531 type: string
11532 name:
11533 description: The name of the object located at the provider type.
11534 type: string
11535 namespace:
11536 description: |-
11537 The namespace the Provider type is in.
11538 Can only be defined when used in a ClusterSecretStore.
11539 type: string
11540 type:
11541 description: The type of provider to use such as "Secret", or "ConfigMap".
11542 enum:
11543 - Secret
11544 - ConfigMap
11545 type: string
11546 required:
11547 - name
11548 - type
11549 type: object
11550 forwardInconsistent:
11551 description: |-
11552 ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
11553 leader instead of simply retrying within a loop. This can increase performance if
11554 the option is enabled serverside.
11555 https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
11556 type: boolean
11557 namespace:
11558 description: |-
11559 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
11560 Vault environments to support Secure Multi-tenancy. e.g: "ns1".
11561 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
11562 type: string
11563 path:
11564 description: |-
11565 Path is the mount path of the Vault KV backend endpoint, e.g:
11566 "secret". The v2 KV secret engine version specific "/data" path suffix
11567 for fetching secrets from Vault is optional and will be appended
11568 if not present in specified path.
11569 type: string
11570 readYourWrites:
11571 description: |-
11572 ReadYourWrites ensures isolated read-after-write semantics by
11573 providing discovered cluster replication states in each request.
11574 More information about eventual consistency in Vault can be found here
11575 https://www.vaultproject.io/docs/enterprise/consistency
11576 type: boolean
11577 server:
11578 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
11579 type: string
11580 tls:
11581 description: |-
11582 The configuration used for client side related TLS communication, when the Vault server
11583 requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
11584 This parameter is ignored for plain HTTP protocol connection.
11585 It's worth noting this configuration is different from the "TLS certificates auth method",
11586 which is available under the `auth.cert` section.
11587 properties:
11588 certSecretRef:
11589 description: |-
11590 CertSecretRef is a certificate added to the transport layer
11591 when communicating with the Vault server.
11592 If no key for the Secret is specified, external-secret will default to 'tls.crt'.
11593 properties:
11594 key:
11595 description: |-
11596 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11597 defaulted, in others it may be required.
11598 type: string
11599 name:
11600 description: The name of the Secret resource being referred to.
11601 type: string
11602 namespace:
11603 description: |-
11604 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11605 to the namespace of the referent.
11606 type: string
11607 type: object
11608 keySecretRef:
11609 description: |-
11610 KeySecretRef to a key in a Secret resource containing client private key
11611 added to the transport layer when communicating with the Vault server.
11612 If no key for the Secret is specified, external-secret will default to 'tls.key'.
11613 properties:
11614 key:
11615 description: |-
11616 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
11617 defaulted, in others it may be required.
11618 type: string
11619 name:
11620 description: The name of the Secret resource being referred to.
11621 type: string
11622 namespace:
11623 description: |-
11624 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
11625 to the namespace of the referent.
11626 type: string
11627 type: object
11628 type: object
11629 version:
11630 default: v2
11631 description: |-
11632 Version is the Vault KV secret engine version. This can be either "v1" or
11633 "v2". Version defaults to "v2".
11634 enum:
11635 - v1
11636 - v2
11637 type: string
11638 required:
11639 - auth
11640 - server
11641 type: object
11642 resultType:
11643 default: Data
11644 description: |-
11645 Result type defines which data is returned from the generator.
11646 By default it is the "data" section of the Vault API response.
11647 When using e.g. /auth/token/create the "data" section is empty but
11648 the "auth" section contains the generated token.
11649 Please refer to the vault docs regarding the result data structure.
11650 enum:
11651 - Data
11652 - Auth
11653 type: string
11654 required:
11655 - path
11656 - provider
11657 type: object
11658 type: object
11659 served: true
11660 storage: true
11661 subresources:
11662 status: {}
11663 conversion:
11664 strategy: Webhook
11665 webhook:
11666 conversionReviewVersions:
11667 - v1
11668 clientConfig:
11669 service:
11670 name: external-secrets-webhook
11671 namespace: "default"
11672 path: /convert
11673---
11674# Source: external-secrets/templates/crds/webhook.yaml
11675apiVersion: apiextensions.k8s.io/v1
11676kind: CustomResourceDefinition
11677metadata:
11678 annotations:
11679 controller-gen.kubebuilder.io/version: v0.14.0
11680 name: webhooks.generators.external-secrets.io
11681spec:
11682 group: generators.external-secrets.io
11683 names:
11684 categories:
11685 - webhook
11686 kind: Webhook
11687 listKind: WebhookList
11688 plural: webhooks
11689 shortNames:
11690 - webhookl
11691 singular: webhook
11692 scope: Namespaced
11693 versions:
11694 - name: v1alpha1
11695 schema:
11696 openAPIV3Schema:
11697 description: |-
11698 Webhook connects to a third party API server to handle the secrets generation
11699 configuration parameters in spec.
11700 You can specify the server, the token, and additional body parameters.
11701 See documentation for the full API specification for requests and responses.
11702 properties:
11703 apiVersion:
11704 description: |-
11705 APIVersion defines the versioned schema of this representation of an object.
11706 Servers should convert recognized schemas to the latest internal value, and
11707 may reject unrecognized values.
11708 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
11709 type: string
11710 kind:
11711 description: |-
11712 Kind is a string value representing the REST resource this object represents.
11713 Servers may infer this from the endpoint the client submits requests to.
11714 Cannot be updated.
11715 In CamelCase.
11716 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
11717 type: string
11718 metadata:
11719 type: object
11720 spec:
11721 description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
11722 properties:
11723 body:
11724 description: Body
11725 type: string
11726 caBundle:
11727 description: |-
11728 PEM encoded CA bundle used to validate webhook server certificate. Only used
11729 if the Server URL is using HTTPS protocol. This parameter is ignored for
11730 plain HTTP protocol connection. If not set the system root certificates
11731 are used to validate the TLS connection.
11732 format: byte
11733 type: string
11734 caProvider:
11735 description: The provider for the CA bundle to use to validate webhook server certificate.
11736 properties:
11737 key:
11738 description: The key the value inside of the provider type to use, only used with "Secret" type
11739 type: string
11740 name:
11741 description: The name of the object located at the provider type.
11742 type: string
11743 namespace:
11744 description: The namespace the Provider type is in.
11745 type: string
11746 type:
11747 description: The type of provider to use such as "Secret", or "ConfigMap".
11748 enum:
11749 - Secret
11750 - ConfigMap
11751 type: string
11752 required:
11753 - name
11754 - type
11755 type: object
11756 headers:
11757 additionalProperties:
11758 type: string
11759 description: Headers
11760 type: object
11761 method:
11762 description: Webhook Method
11763 type: string
11764 result:
11765 description: Result formatting
11766 properties:
11767 jsonPath:
11768 description: Json path of return value
11769 type: string
11770 type: object
11771 secrets:
11772 description: |-
11773 Secrets to fill in templates
11774 These secrets will be passed to the templating function as key value pairs under the given name
11775 items:
11776 properties:
11777 name:
11778 description: Name of this secret in templates
11779 type: string
11780 secretRef:
11781 description: Secret ref to fill in credentials
11782 properties:
11783 key:
11784 description: The key where the token is found.
11785 type: string
11786 name:
11787 description: The name of the Secret resource being referred to.
11788 type: string
11789 type: object
11790 required:
11791 - name
11792 - secretRef
11793 type: object
11794 type: array
11795 timeout:
11796 description: Timeout
11797 type: string
11798 url:
11799 description: Webhook url to call
11800 type: string
11801 required:
11802 - result
11803 - url
11804 type: object
11805 type: object
11806 served: true
11807 storage: true
11808 subresources:
11809 status: {}
11810 conversion:
11811 strategy: Webhook
11812 webhook:
11813 conversionReviewVersions:
11814 - v1
11815 clientConfig:
11816 service:
11817 name: external-secrets-webhook
11818 namespace: "default"
11819 path: /convert
11820---
11821# Source: external-secrets/templates/cert-controller-rbac.yaml
11822apiVersion: rbac.authorization.k8s.io/v1
11823kind: ClusterRole
11824metadata:
11825 name: external-secrets-cert-controller
11826 labels:
11827 helm.sh/chart: external-secrets-v0.9.16
11828 app.kubernetes.io/name: external-secrets-cert-controller
11829 app.kubernetes.io/instance: external-secrets
11830 app.kubernetes.io/version: "v0.9.16"
11831 app.kubernetes.io/managed-by: Helm
11832rules:
11833 - apiGroups:
11834 - "apiextensions.k8s.io"
11835 resources:
11836 - "customresourcedefinitions"
11837 verbs:
11838 - "get"
11839 - "list"
11840 - "watch"
11841 - "update"
11842 - "patch"
11843 - apiGroups:
11844 - "admissionregistration.k8s.io"
11845 resources:
11846 - "validatingwebhookconfigurations"
11847 verbs:
11848 - "get"
11849 - "list"
11850 - "watch"
11851 - "update"
11852 - "patch"
11853 - apiGroups:
11854 - ""
11855 resources:
11856 - "endpoints"
11857 verbs:
11858 - "list"
11859 - "get"
11860 - "watch"
11861 - apiGroups:
11862 - ""
11863 resources:
11864 - "events"
11865 verbs:
11866 - "create"
11867 - "patch"
11868 - apiGroups:
11869 - ""
11870 resources:
11871 - "secrets"
11872 verbs:
11873 - "get"
11874 - "list"
11875 - "watch"
11876 - "update"
11877 - "patch"
11878 - apiGroups:
11879 - "coordination.k8s.io"
11880 resources:
11881 - "leases"
11882 verbs:
11883 - "get"
11884 - "create"
11885 - "update"
11886 - "patch"
11887---
11888# Source: external-secrets/templates/rbac.yaml
11889apiVersion: rbac.authorization.k8s.io/v1
11890kind: ClusterRole
11891metadata:
11892 name: external-secrets-controller
11893 labels:
11894 helm.sh/chart: external-secrets-v0.9.16
11895 app.kubernetes.io/name: external-secrets
11896 app.kubernetes.io/instance: external-secrets
11897 app.kubernetes.io/version: "v0.9.16"
11898 app.kubernetes.io/managed-by: Helm
11899rules:
11900 - apiGroups:
11901 - "external-secrets.io"
11902 resources:
11903 - "secretstores"
11904 - "clustersecretstores"
11905 - "externalsecrets"
11906 - "clusterexternalsecrets"
11907 - "pushsecrets"
11908 verbs:
11909 - "get"
11910 - "list"
11911 - "watch"
11912 - apiGroups:
11913 - "external-secrets.io"
11914 resources:
11915 - "externalsecrets"
11916 - "externalsecrets/status"
11917 - "externalsecrets/finalizers"
11918 - "secretstores"
11919 - "secretstores/status"
11920 - "secretstores/finalizers"
11921 - "clustersecretstores"
11922 - "clustersecretstores/status"
11923 - "clustersecretstores/finalizers"
11924 - "clusterexternalsecrets"
11925 - "clusterexternalsecrets/status"
11926 - "clusterexternalsecrets/finalizers"
11927 - "pushsecrets"
11928 - "pushsecrets/status"
11929 - "pushsecrets/finalizers"
11930 verbs:
11931 - "update"
11932 - "patch"
11933 - apiGroups:
11934 - "generators.external-secrets.io"
11935 resources:
11936 - "acraccesstokens"
11937 - "ecrauthorizationtokens"
11938 - "fakes"
11939 - "gcraccesstokens"
11940 - "githubaccesstokens"
11941 - "passwords"
11942 - "vaultdynamicsecrets"
11943 - "webhooks"
11944 verbs:
11945 - "get"
11946 - "list"
11947 - "watch"
11948 - apiGroups:
11949 - ""
11950 resources:
11951 - "serviceaccounts"
11952 - "namespaces"
11953 verbs:
11954 - "get"
11955 - "list"
11956 - "watch"
11957 - apiGroups:
11958 - ""
11959 resources:
11960 - "configmaps"
11961 verbs:
11962 - "get"
11963 - "list"
11964 - "watch"
11965 - apiGroups:
11966 - ""
11967 resources:
11968 - "secrets"
11969 verbs:
11970 - "get"
11971 - "list"
11972 - "watch"
11973 - "create"
11974 - "update"
11975 - "delete"
11976 - "patch"
11977 - apiGroups:
11978 - ""
11979 resources:
11980 - "serviceaccounts/token"
11981 verbs:
11982 - "create"
11983 - apiGroups:
11984 - ""
11985 resources:
11986 - "events"
11987 verbs:
11988 - "create"
11989 - "patch"
11990 - apiGroups:
11991 - "external-secrets.io"
11992 resources:
11993 - "externalsecrets"
11994 verbs:
11995 - "create"
11996 - "update"
11997 - "delete"
11998---
11999# Source: external-secrets/templates/rbac.yaml
12000apiVersion: rbac.authorization.k8s.io/v1
12001kind: ClusterRole
12002metadata:
12003 name: external-secrets-view
12004 labels:
12005 helm.sh/chart: external-secrets-v0.9.16
12006 app.kubernetes.io/name: external-secrets
12007 app.kubernetes.io/instance: external-secrets
12008 app.kubernetes.io/version: "v0.9.16"
12009 app.kubernetes.io/managed-by: Helm
12010 rbac.authorization.k8s.io/aggregate-to-view: "true"
12011 rbac.authorization.k8s.io/aggregate-to-edit: "true"
12012 rbac.authorization.k8s.io/aggregate-to-admin: "true"
12013rules:
12014 - apiGroups:
12015 - "external-secrets.io"
12016 resources:
12017 - "externalsecrets"
12018 - "secretstores"
12019 - "clustersecretstores"
12020 - "pushsecrets"
12021 verbs:
12022 - "get"
12023 - "watch"
12024 - "list"
12025 - apiGroups:
12026 - "generators.external-secrets.io"
12027 resources:
12028 - "acraccesstokens"
12029 - "ecrauthorizationtokens"
12030 - "fakes"
12031 - "gcraccesstokens"
12032 - "githubaccesstokens"
12033 - "passwords"
12034 - "vaultdynamicsecrets"
12035 - "webhooks"
12036 verbs:
12037 - "get"
12038 - "watch"
12039 - "list"
12040---
12041# Source: external-secrets/templates/rbac.yaml
12042apiVersion: rbac.authorization.k8s.io/v1
12043kind: ClusterRole
12044metadata:
12045 name: external-secrets-edit
12046 labels:
12047 helm.sh/chart: external-secrets-v0.9.16
12048 app.kubernetes.io/name: external-secrets
12049 app.kubernetes.io/instance: external-secrets
12050 app.kubernetes.io/version: "v0.9.16"
12051 app.kubernetes.io/managed-by: Helm
12052 rbac.authorization.k8s.io/aggregate-to-edit: "true"
12053 rbac.authorization.k8s.io/aggregate-to-admin: "true"
12054rules:
12055 - apiGroups:
12056 - "external-secrets.io"
12057 resources:
12058 - "externalsecrets"
12059 - "secretstores"
12060 - "clustersecretstores"
12061 - "pushsecrets"
12062 verbs:
12063 - "create"
12064 - "delete"
12065 - "deletecollection"
12066 - "patch"
12067 - "update"
12068 - apiGroups:
12069 - "generators.external-secrets.io"
12070 resources:
12071 - "acraccesstokens"
12072 - "ecrauthorizationtokens"
12073 - "fakes"
12074 - "gcraccesstokens"
12075 - "githubaccesstokens"
12076 - "passwords"
12077 - "vaultdynamicsecrets"
12078 - "webhooks"
12079 verbs:
12080 - "create"
12081 - "delete"
12082 - "deletecollection"
12083 - "patch"
12084 - "update"
12085---
12086# Source: external-secrets/templates/rbac.yaml
12087apiVersion: rbac.authorization.k8s.io/v1
12088kind: ClusterRole
12089metadata:
12090 name: external-secrets-servicebindings
12091 labels:
12092 servicebinding.io/controller: "true"
12093 helm.sh/chart: external-secrets-v0.9.16
12094 app.kubernetes.io/name: external-secrets
12095 app.kubernetes.io/instance: external-secrets
12096 app.kubernetes.io/version: "v0.9.16"
12097 app.kubernetes.io/managed-by: Helm
12098rules:
12099 - apiGroups:
12100 - "external-secrets.io"
12101 resources:
12102 - "externalsecrets"
12103 verbs:
12104 - "get"
12105 - "list"
12106 - "watch"
12107---
12108# Source: external-secrets/templates/cert-controller-rbac.yaml
12109apiVersion: rbac.authorization.k8s.io/v1
12110kind: ClusterRoleBinding
12111metadata:
12112 name: external-secrets-cert-controller
12113 labels:
12114 helm.sh/chart: external-secrets-v0.9.16
12115 app.kubernetes.io/name: external-secrets-cert-controller
12116 app.kubernetes.io/instance: external-secrets
12117 app.kubernetes.io/version: "v0.9.16"
12118 app.kubernetes.io/managed-by: Helm
12119roleRef:
12120 apiGroup: rbac.authorization.k8s.io
12121 kind: ClusterRole
12122 name: external-secrets-cert-controller
12123subjects:
12124 - name: external-secrets-cert-controller
12125 namespace: default
12126 kind: ServiceAccount
12127---
12128# Source: external-secrets/templates/rbac.yaml
12129apiVersion: rbac.authorization.k8s.io/v1
12130kind: ClusterRoleBinding
12131metadata:
12132 name: external-secrets-controller
12133 labels:
12134 helm.sh/chart: external-secrets-v0.9.16
12135 app.kubernetes.io/name: external-secrets
12136 app.kubernetes.io/instance: external-secrets
12137 app.kubernetes.io/version: "v0.9.16"
12138 app.kubernetes.io/managed-by: Helm
12139roleRef:
12140 apiGroup: rbac.authorization.k8s.io
12141 kind: ClusterRole
12142 name: external-secrets-controller
12143subjects:
12144 - name: external-secrets
12145 namespace: default
12146 kind: ServiceAccount
12147---
12148# Source: external-secrets/templates/rbac.yaml
12149apiVersion: rbac.authorization.k8s.io/v1
12150kind: Role
12151metadata:
12152 name: external-secrets-leaderelection
12153 namespace: default
12154 labels:
12155 helm.sh/chart: external-secrets-v0.9.16
12156 app.kubernetes.io/name: external-secrets
12157 app.kubernetes.io/instance: external-secrets
12158 app.kubernetes.io/version: "v0.9.16"
12159 app.kubernetes.io/managed-by: Helm
12160rules:
12161 - apiGroups:
12162 - ""
12163 resources:
12164 - "configmaps"
12165 resourceNames:
12166 - "external-secrets-controller"
12167 verbs:
12168 - "get"
12169 - "update"
12170 - "patch"
12171 - apiGroups:
12172 - ""
12173 resources:
12174 - "configmaps"
12175 verbs:
12176 - "create"
12177 - apiGroups:
12178 - "coordination.k8s.io"
12179 resources:
12180 - "leases"
12181 verbs:
12182 - "get"
12183 - "create"
12184 - "update"
12185 - "patch"
12186---
12187# Source: external-secrets/templates/rbac.yaml
12188apiVersion: rbac.authorization.k8s.io/v1
12189kind: RoleBinding
12190metadata:
12191 name: external-secrets-leaderelection
12192 namespace: default
12193 labels:
12194 helm.sh/chart: external-secrets-v0.9.16
12195 app.kubernetes.io/name: external-secrets
12196 app.kubernetes.io/instance: external-secrets
12197 app.kubernetes.io/version: "v0.9.16"
12198 app.kubernetes.io/managed-by: Helm
12199roleRef:
12200 apiGroup: rbac.authorization.k8s.io
12201 kind: Role
12202 name: external-secrets-leaderelection
12203subjects:
12204 - kind: ServiceAccount
12205 name: external-secrets
12206 namespace: default
12207---
12208# Source: external-secrets/templates/webhook-service.yaml
12209apiVersion: v1
12210kind: Service
12211metadata:
12212 name: external-secrets-webhook
12213 namespace: default
12214 labels:
12215 helm.sh/chart: external-secrets-v0.9.16
12216 app.kubernetes.io/name: external-secrets-webhook
12217 app.kubernetes.io/instance: external-secrets
12218 app.kubernetes.io/version: "v0.9.16"
12219 app.kubernetes.io/managed-by: Helm
12220 external-secrets.io/component: webhook
12221spec:
12222 type: ClusterIP
12223 ports:
12224 - port: 443
12225 targetPort: 10250
12226 protocol: TCP
12227 name: webhook
12228 selector:
12229 app.kubernetes.io/name: external-secrets-webhook
12230 app.kubernetes.io/instance: external-secrets
12231---
12232# Source: external-secrets/templates/cert-controller-deployment.yaml
12233apiVersion: apps/v1
12234kind: Deployment
12235metadata:
12236 name: external-secrets-cert-controller
12237 namespace: default
12238 labels:
12239 helm.sh/chart: external-secrets-v0.9.16
12240 app.kubernetes.io/name: external-secrets-cert-controller
12241 app.kubernetes.io/instance: external-secrets
12242 app.kubernetes.io/version: "v0.9.16"
12243 app.kubernetes.io/managed-by: Helm
12244spec:
12245 replicas: 1
12246 revisionHistoryLimit: 10
12247 selector:
12248 matchLabels:
12249 app.kubernetes.io/name: external-secrets-cert-controller
12250 app.kubernetes.io/instance: external-secrets
12251 template:
12252 metadata:
12253 labels:
12254 helm.sh/chart: external-secrets-v0.9.16
12255 app.kubernetes.io/name: external-secrets-cert-controller
12256 app.kubernetes.io/instance: external-secrets
12257 app.kubernetes.io/version: "v0.9.16"
12258 app.kubernetes.io/managed-by: Helm
12259 spec:
12260 serviceAccountName: external-secrets-cert-controller
12261 automountServiceAccountToken: true
12262 hostNetwork: false
12263 containers:
12264 - name: cert-controller
12265 securityContext:
12266 allowPrivilegeEscalation: false
12267 capabilities:
12268 drop:
12269 - ALL
12270 readOnlyRootFilesystem: true
12271 runAsNonRoot: true
12272 runAsUser: 1000
12273 seccompProfile:
12274 type: RuntimeDefault
12275 image: ghcr.io/external-secrets/external-secrets:v0.9.16
12276 imagePullPolicy: IfNotPresent
12277 args:
12278 - certcontroller
12279 - --crd-requeue-interval=5m
12280 - --service-name=external-secrets-webhook
12281 - --service-namespace=default
12282 - --secret-name=external-secrets-webhook
12283 - --secret-namespace=default
12284 - --metrics-addr=:8080
12285 - --healthz-addr=:8081
12286
12287 ports:
12288 - containerPort: 8080
12289 protocol: TCP
12290 name: metrics
12291 readinessProbe:
12292 httpGet:
12293 port: 8081
12294 path: /readyz
12295 initialDelaySeconds: 20
12296 periodSeconds: 5
12297---
12298# Source: external-secrets/templates/deployment.yaml
12299apiVersion: apps/v1
12300kind: Deployment
12301metadata:
12302 name: external-secrets
12303 namespace: default
12304 labels:
12305 helm.sh/chart: external-secrets-v0.9.16
12306 app.kubernetes.io/name: external-secrets
12307 app.kubernetes.io/instance: external-secrets
12308 app.kubernetes.io/version: "v0.9.16"
12309 app.kubernetes.io/managed-by: Helm
12310spec:
12311 replicas: 1
12312 revisionHistoryLimit: 10
12313 selector:
12314 matchLabels:
12315 app.kubernetes.io/name: external-secrets
12316 app.kubernetes.io/instance: external-secrets
12317 template:
12318 metadata:
12319 labels:
12320 helm.sh/chart: external-secrets-v0.9.16
12321 app.kubernetes.io/name: external-secrets
12322 app.kubernetes.io/instance: external-secrets
12323 app.kubernetes.io/version: "v0.9.16"
12324 app.kubernetes.io/managed-by: Helm
12325 spec:
12326 serviceAccountName: external-secrets
12327 automountServiceAccountToken: true
12328 hostNetwork: false
12329 containers:
12330 - name: external-secrets
12331 securityContext:
12332 allowPrivilegeEscalation: false
12333 capabilities:
12334 drop:
12335 - ALL
12336 readOnlyRootFilesystem: true
12337 runAsNonRoot: true
12338 runAsUser: 1000
12339 seccompProfile:
12340 type: RuntimeDefault
12341 image: ghcr.io/external-secrets/external-secrets:v0.9.16
12342 imagePullPolicy: IfNotPresent
12343 args:
12344 - --concurrent=1
12345 - --metrics-addr=:8080
12346 ports:
12347 - containerPort: 8080
12348 protocol: TCP
12349 name: metrics
12350 resources:
12351 requests:
12352 cpu: 10m
12353 memory: 32Mi
12354---
12355# Source: external-secrets/templates/webhook-deployment.yaml
12356apiVersion: apps/v1
12357kind: Deployment
12358metadata:
12359 name: external-secrets-webhook
12360 namespace: default
12361 labels:
12362 helm.sh/chart: external-secrets-v0.9.16
12363 app.kubernetes.io/name: external-secrets-webhook
12364 app.kubernetes.io/instance: external-secrets
12365 app.kubernetes.io/version: "v0.9.16"
12366 app.kubernetes.io/managed-by: Helm
12367spec:
12368 replicas: 1
12369 revisionHistoryLimit: 10
12370 selector:
12371 matchLabels:
12372 app.kubernetes.io/name: external-secrets-webhook
12373 app.kubernetes.io/instance: external-secrets
12374 template:
12375 metadata:
12376 labels:
12377 helm.sh/chart: external-secrets-v0.9.16
12378 app.kubernetes.io/name: external-secrets-webhook
12379 app.kubernetes.io/instance: external-secrets
12380 app.kubernetes.io/version: "v0.9.16"
12381 app.kubernetes.io/managed-by: Helm
12382 spec:
12383 hostNetwork: false
12384 serviceAccountName: external-secrets-webhook
12385 automountServiceAccountToken: true
12386 containers:
12387 - name: webhook
12388 securityContext:
12389 allowPrivilegeEscalation: false
12390 capabilities:
12391 drop:
12392 - ALL
12393 readOnlyRootFilesystem: true
12394 runAsNonRoot: true
12395 runAsUser: 1000
12396 seccompProfile:
12397 type: RuntimeDefault
12398 image: ghcr.io/external-secrets/external-secrets:v0.9.16
12399 imagePullPolicy: IfNotPresent
12400 args:
12401 - webhook
12402 - --port=10250
12403 - --dns-name=external-secrets-webhook.default.svc
12404 - --cert-dir=/tmp/certs
12405 - --check-interval=5m
12406 - --metrics-addr=:8080
12407 - --healthz-addr=:8081
12408 ports:
12409 - containerPort: 8080
12410 protocol: TCP
12411 name: metrics
12412 - containerPort: 10250
12413 protocol: TCP
12414 name: webhook
12415 readinessProbe:
12416 httpGet:
12417 port: 8081
12418 path: /readyz
12419 initialDelaySeconds: 20
12420 periodSeconds: 5
12421 volumeMounts:
12422 - name: certs
12423 mountPath: /tmp/certs
12424 readOnly: true
12425 volumes:
12426 - name: certs
12427 secret:
12428 secretName: external-secrets-webhook
12429---
12430# Source: external-secrets/templates/validatingwebhook.yaml
12431apiVersion: admissionregistration.k8s.io/v1
12432kind: ValidatingWebhookConfiguration
12433metadata:
12434 name: secretstore-validate
12435 labels:
12436 external-secrets.io/component: webhook
12437webhooks:
12438- name: "validate.secretstore.external-secrets.io"
12439 rules:
12440 - apiGroups: ["external-secrets.io"]
12441 apiVersions: ["v1beta1"]
12442 operations: ["CREATE", "UPDATE", "DELETE"]
12443 resources: ["secretstores"]
12444 scope: "Namespaced"
12445 clientConfig:
12446 service:
12447 namespace: default
12448 name: external-secrets-webhook
12449 path: /validate-external-secrets-io-v1beta1-secretstore
12450 admissionReviewVersions: ["v1", "v1beta1"]
12451 sideEffects: None
12452 timeoutSeconds: 5
12453
12454- name: "validate.clustersecretstore.external-secrets.io"
12455 rules:
12456 - apiGroups: ["external-secrets.io"]
12457 apiVersions: ["v1beta1"]
12458 operations: ["CREATE", "UPDATE", "DELETE"]
12459 resources: ["clustersecretstores"]
12460 scope: "Cluster"
12461 clientConfig:
12462 service:
12463 namespace: default
12464 name: external-secrets-webhook
12465 path: /validate-external-secrets-io-v1beta1-clustersecretstore
12466 admissionReviewVersions: ["v1", "v1beta1"]
12467 sideEffects: None
12468 timeoutSeconds: 5
12469---
12470# Source: external-secrets/templates/validatingwebhook.yaml
12471apiVersion: admissionregistration.k8s.io/v1
12472kind: ValidatingWebhookConfiguration
12473metadata:
12474 name: externalsecret-validate
12475 labels:
12476 external-secrets.io/component: webhook
12477webhooks:
12478- name: "validate.externalsecret.external-secrets.io"
12479 rules:
12480 - apiGroups: ["external-secrets.io"]
12481 apiVersions: ["v1beta1"]
12482 operations: ["CREATE", "UPDATE", "DELETE"]
12483 resources: ["externalsecrets"]
12484 scope: "Namespaced"
12485 clientConfig:
12486 service:
12487 namespace: default
12488 name: external-secrets-webhook
12489 path: /validate-external-secrets-io-v1beta1-externalsecret
12490 admissionReviewVersions: ["v1", "v1beta1"]
12491 sideEffects: None
12492 timeoutSeconds: 5
12493 failurePolicy: Fail
View as plain text