diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/.helmignore b/charts/external-secrets/.helmignore
similarity index 89%
rename from charts/external-secrets/charts/bitwarden-sdk-server/.helmignore
rename to charts/external-secrets/.helmignore
index 0e8a0eb..855edc3 100644
--- a/charts/external-secrets/charts/bitwarden-sdk-server/.helmignore
+++ b/charts/external-secrets/.helmignore
@@ -21,3 +21,6 @@
.idea/
*.tmproj
.vscode/
+
+# CRD README.md
+templates/crds/README.md
diff --git a/charts/external-secrets/Chart.lock b/charts/external-secrets/Chart.lock
deleted file mode 100644
index f9abae8..0000000
--- a/charts/external-secrets/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: bitwarden-sdk-server
- repository: oci://ghcr.io/external-secrets/charts
- version: v0.3.1
-digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
-generated: "2024-09-20T12:57:07.63511+02:00"
diff --git a/charts/external-secrets/Chart.yaml b/charts/external-secrets/Chart.yaml
index 44236fa..b0fda95 100644
--- a/charts/external-secrets/Chart.yaml
+++ b/charts/external-secrets/Chart.yaml
@@ -1,10 +1,5 @@
apiVersion: v2
-appVersion: v0.16.2
-dependencies:
-- condition: bitwarden-sdk-server.enabled
- name: bitwarden-sdk-server
- repository: oci://ghcr.io/external-secrets/charts
- version: v0.3.1
+appVersion: v0.9.11
description: External secret management for Kubernetes
home: https://github.com/external-secrets/external-secrets
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
@@ -17,4 +12,4 @@ maintainers:
name: mcavoyk
name: external-secrets
type: application
-version: 0.16.2
+version: 0.9.11
diff --git a/charts/external-secrets/README.md b/charts/external-secrets/README.md
index 44da66b..96d2de0 100644
--- a/charts/external-secrets/README.md
+++ b/charts/external-secrets/README.md
@@ -1,10 +1,10 @@
# External Secrets
-
+
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
- 
+ 
External secret management for Kubernetes
@@ -35,7 +35,6 @@ The command removes all the Kubernetes components associated with the chart and
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
-| bitwarden-sdk-server.enabled | bool | `false` | |
| certController.affinity | object | `{}` | |
| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
@@ -45,12 +44,10 @@ The command removes all the Kubernetes components associated with the chart and
| certController.extraVolumes | list | `[]` | |
| certController.fullnameOverride | string | `""` | |
| certController.hostNetwork | bool | `false` | Run the certController on the host network |
-| certController.image.flavour | string | `""` | |
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
-| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
+| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| certController.image.tag | string | `""` | |
| certController.imagePullSecrets | list | `[]` | |
-| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Certificate Controller |
| certController.metrics.listen.port | int | `8080` | |
| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
@@ -60,7 +57,7 @@ The command removes all the Kubernetes components associated with the chart and
| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| certController.podLabels | object | `{}` | |
-| certController.podSecurityContext.enabled | bool | `true` | |
+| certController.podSecurityContext | object | `{}` | |
| certController.priorityClassName | string | `""` | Pod priority class name. |
| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| certController.readinessProbe.address | string | `""` | Address for readiness probe |
@@ -71,7 +68,6 @@ The command removes all the Kubernetes components associated with the chart and
| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| certController.securityContext.allowPrivilegeEscalation | bool | `false` | |
| certController.securityContext.capabilities.drop[0] | string | `"ALL"` | |
-| certController.securityContext.enabled | bool | `true` | |
| certController.securityContext.readOnlyRootFilesystem | bool | `true` | |
| certController.securityContext.runAsNonRoot | bool | `true` | |
| certController.securityContext.runAsUser | int | `1000` | |
@@ -87,62 +83,42 @@ The command removes all the Kubernetes components associated with the chart and
| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
| crds.annotations | object | `{}` | |
-| crds.conversion.enabled | bool | `false` | Conversion is disabled by default as we stopped supporting v1alpha1. |
+| crds.conversion.enabled | bool | `true` | |
| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
-| crds.createClusterGenerator | bool | `true` | If true, create CRDs for Cluster Generator. |
-| crds.createClusterPushSecret | bool | `true` | If true, create CRDs for Cluster Push Secret. |
| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
-| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
| extraArgs | object | `{}` | |
| extraContainers | list | `[]` | |
| extraEnv | list | `[]` | |
-| extraObjects | list | `[]` | |
| extraVolumeMounts | list | `[]` | |
| extraVolumes | list | `[]` | |
| fullnameOverride | string | `""` | |
-| global.affinity | object | `{}` | |
-| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
-| global.nodeSelector | object | `{}` | |
-| global.tolerations | list | `[]` | |
-| global.topologySpreadConstraints | list | `[]` | |
-| grafanaDashboard.annotations | object | `{}` | Annotations that ConfigMaps can have to get configured in Grafana, See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder. https://github.com/grafana/helm-charts/tree/main/charts/grafana |
-| grafanaDashboard.enabled | bool | `false` | If true creates a Grafana dashboard. |
-| grafanaDashboard.sidecarLabel | string | `"grafana_dashboard"` | Label that ConfigMaps should have to be loaded as dashboards. |
-| grafanaDashboard.sidecarLabelValue | string | `"1"` | Label value that ConfigMaps should have to be loaded as dashboards. |
| hostNetwork | bool | `false` | Run the controller on the host network |
-| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
| image.pullPolicy | string | `"IfNotPresent"` | |
-| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
-| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
+| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
| imagePullSecrets | list | `[]` | |
| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
-| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the External Secrets Operator |
| metrics.listen.port | int | `8080` | |
| metrics.service.annotations | object | `{}` | Additional service annotations |
| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| metrics.service.port | int | `8080` | Metrics service port to scrape |
| nameOverride | string | `""` | |
-| namespaceOverride | string | `""` | |
| nodeSelector | object | `{}` | |
-| openshiftFinalizers | bool | `true` | If true the OpenShift finalizer permissions will be added to RBAC |
| podAnnotations | object | `{}` | Annotations to add to Pod |
| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | `{}` | |
-| podSecurityContext.enabled | bool | `true` | |
+| podSecurityContext | object | `{}` | |
| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
| priorityClassName | string | `""` | Pod priority class name. |
| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
-| processClusterPushSecret | bool | `true` | if true, the operator will process cluster push secret. Else, it will ignore them. |
| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
-| rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole |
-| rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole |
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
| replicaCount | int | `1` | |
@@ -152,13 +128,10 @@ The command removes all the Kubernetes components associated with the chart and
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
-| securityContext.enabled | bool | `true` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `1000` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
-| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
-| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
@@ -175,18 +148,16 @@ The command removes all the Kubernetes components associated with the chart and
| tolerations | list | `[]` | |
| topologySpreadConstraints | list | `[]` | |
| webhook.affinity | object | `{}` | |
-| webhook.annotations | object | `{}` | Annotations to place on validating webhook configuration. |
| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
| webhook.certDir | string | `"/tmp/certs"` | |
| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
-| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
+| webhook.certManager.cert.duration | string | `""` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec |
| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
-| webhook.certManager.cert.revisionHistoryLimit | int | `0` | Set the revisionHistoryLimit on the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Defaults to 0 (ignored). |
| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
-| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
+| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| webhook.extraArgs | object | `{}` | |
| webhook.extraEnv | list | `[]` | |
@@ -195,12 +166,10 @@ The command removes all the Kubernetes components associated with the chart and
| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
| webhook.fullnameOverride | string | `""` | |
| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
-| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
-| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
+| webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
| webhook.imagePullSecrets | list | `[]` | |
-| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
| webhook.metrics.listen.port | int | `8080` | |
| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
@@ -211,7 +180,7 @@ The command removes all the Kubernetes components associated with the chart and
| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| webhook.podLabels | object | `{}` | |
-| webhook.podSecurityContext.enabled | bool | `true` | |
+| webhook.podSecurityContext | object | `{}` | |
| webhook.port | int | `10250` | The port the webhook will listen to |
| webhook.priorityClassName | string | `""` | Pod priority class name. |
| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
@@ -223,17 +192,10 @@ The command removes all the Kubernetes components associated with the chart and
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
| webhook.securityContext.allowPrivilegeEscalation | bool | `false` | |
| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | |
-| webhook.securityContext.enabled | bool | `true` | |
| webhook.securityContext.readOnlyRootFilesystem | bool | `true` | |
| webhook.securityContext.runAsNonRoot | bool | `true` | |
| webhook.securityContext.runAsUser | int | `1000` | |
| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
-| webhook.service | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","type":"ClusterIP"}` | Manage the service through which the webhook is reached. |
-| webhook.service.annotations | object | `{}` | Custom annotations for the webhook service. |
-| webhook.service.enabled | bool | `true` | Whether the service object should be enabled or not (it is expected to exist). |
-| webhook.service.labels | object | `{}` | Custom labels for the webhook service. |
-| webhook.service.loadBalancerIP | string | `""` | If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here. Check the documentation of your load balancer provider to see if/how this should be used. |
-| webhook.service.type | string | `"ClusterIP"` | The service type of the webhook service. |
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
diff --git a/charts/external-secrets/README.md.gotmpl b/charts/external-secrets/README.md.gotmpl
new file mode 100644
index 0000000..7c1b60d
--- /dev/null
+++ b/charts/external-secrets/README.md.gotmpl
@@ -0,0 +1,35 @@
+{{- $chartRepo := "https://charts.external-secrets.io" -}}
+{{- $org := "external-secrets" -}}
+# External Secrets
+
+
+
+[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
+
+{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}
+
+{{ template "chart.description" . }}
+
+## TL;DR
+```bash
+helm repo add {{ $org }} {{ $chartRepo }}
+helm install external-secrets {{ $org }}/{{ template "chart.name" . }}
+```
+
+## Installing the Chart
+To install the chart with the release name `{{ template "chart.name" . }}`:
+```bash
+helm install {{ template "chart.name" . }} {{ $org }}/{{ template "chart.name" . }}
+```
+
+### Custom Resources
+By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
+
+## Uninstalling the Chart
+To uninstall the `{{ template "chart.name" . }}` deployment:
+```bash
+helm uninstall {{ template "chart.name" . }}
+```
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+{{ template "chart.valuesSection" . }}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/Chart.yaml b/charts/external-secrets/charts/bitwarden-sdk-server/Chart.yaml
deleted file mode 100644
index 64d6f38..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-appVersion: v0.3.1
-description: A Helm chart for Kubernetes
-name: bitwarden-sdk-server
-type: application
-version: v0.3.1
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/templates/NOTES.txt b/charts/external-secrets/charts/bitwarden-sdk-server/templates/NOTES.txt
deleted file mode 100644
index 46b671c..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/templates/NOTES.txt
+++ /dev/null
@@ -1,22 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
- {{- range .paths }}
- http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
- {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
- export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden-sdk-server.fullname" . }})
- export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
- echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
- NOTE: It may take a few minutes for the LoadBalancer IP to be available.
- You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden-sdk-server.fullname" . }}'
- export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden-sdk-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
- echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
- export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden-sdk-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
- export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
- echo "Visit http://127.0.0.1:8080 to use your application"
- kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/templates/_helpers.tpl b/charts/external-secrets/charts/bitwarden-sdk-server/templates/_helpers.tpl
deleted file mode 100644
index a5e0da3..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/templates/_helpers.tpl
+++ /dev/null
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "bitwarden-sdk-server.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "bitwarden-sdk-server.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "bitwarden-sdk-server.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "bitwarden-sdk-server.labels" -}}
-helm.sh/chart: {{ include "bitwarden-sdk-server.chart" . }}
-{{ include "bitwarden-sdk-server.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "bitwarden-sdk-server.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "bitwarden-sdk-server.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "bitwarden-sdk-server.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "bitwarden-sdk-server.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/templates/deployment.yaml b/charts/external-secrets/charts/bitwarden-sdk-server/templates/deployment.yaml
deleted file mode 100644
index 06e2882..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/templates/deployment.yaml
+++ /dev/null
@@ -1,77 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "bitwarden-sdk-server.fullname" . }}
- labels:
- {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
-spec:
- replicas: {{ .Values.replicaCount }}
- selector:
- matchLabels:
- {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 6 }}
- template:
- metadata:
- {{- with .Values.podAnnotations }}
- annotations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- labels:
- {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 8 }}
- spec:
- {{- with .Values.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- serviceAccountName: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
- securityContext:
- {{- toYaml .Values.podSecurityContext | nindent 8 }}
- containers:
- - name: {{ .Chart.Name }}
- {{- if not .Values.image.tls.enabled }}
- args:
- - --insecure
- {{- end }}
- securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- {{- if .Values.image.tls.enabled }}
- volumeMounts:
- {{- toYaml .Values.image.tls.volumeMounts | nindent 10 }}
- {{- end}}
- ports:
- - name: http
- containerPort: {{ .Values.service.port }}
- protocol: TCP
- livenessProbe:
- httpGet:
- path: /live
- port: http
- {{- if .Values.image.tls.enabled }}
- scheme: HTTPS
- {{- end }}
- readinessProbe:
- httpGet:
- path: /ready
- port: http
- {{- if .Values.image.tls.enabled }}
- scheme: HTTPS
- {{- end }}
- resources:
- {{- toYaml .Values.resources | nindent 12 }}
- {{- with .Values.nodeSelector }}
- nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.tolerations }}
- tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- if .Values.image.tls.enabled }}
- volumes:
- {{- toYaml .Values.image.tls.volumes | nindent 8 }}
- {{- end}}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/templates/service.yaml b/charts/external-secrets/charts/bitwarden-sdk-server/templates/service.yaml
deleted file mode 100644
index 88e2d66..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/templates/service.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "bitwarden-sdk-server.fullname" . }}
- labels:
- {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
-spec:
- type: {{ .Values.service.type }}
- ports:
- - port: {{ .Values.service.port }}
- targetPort: http
- name: http
- selector:
- {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 4 }}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/templates/serviceaccount.yaml b/charts/external-secrets/charts/bitwarden-sdk-server/templates/serviceaccount.yaml
deleted file mode 100644
index fef7bad..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
- labels:
- {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
- {{- with .Values.serviceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end }}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap b/charts/external-secrets/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap
deleted file mode 100644
index 2fbcdb1..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap
+++ /dev/null
@@ -1,60 +0,0 @@
-deployment should match snapshot:
- 1: |
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- labels:
- app.kubernetes.io/instance: RELEASE-NAME
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: bitwarden-sdk-server
- app.kubernetes.io/version: 1.16.0
- helm.sh/chart: bitwarden-sdk-server-0.1.0
- name: bitwarden-sdk-server
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/instance: RELEASE-NAME
- app.kubernetes.io/name: bitwarden-sdk-server
- template:
- metadata:
- labels:
- app.kubernetes.io/instance: RELEASE-NAME
- app.kubernetes.io/name: bitwarden-sdk-server
- spec:
- containers:
- - image: ghcr.io/external-secrets/bitwarden-sdk-server:v0.8.0
- imagePullPolicy: IfNotPresent
- livenessProbe:
- httpGet:
- path: /live
- port: http
- scheme: HTTPS
- name: bitwarden-sdk-server
- ports:
- - containerPort: 9998
- name: http
- protocol: TCP
- readinessProbe:
- httpGet:
- path: /ready
- port: http
- scheme: HTTPS
- resources: {}
- securityContext: {}
- volumeMounts:
- - mountPath: /certs
- name: bitwarden-tls-certs
- securityContext: {}
- serviceAccountName: bitwarden-sdk-server
- volumes:
- - name: bitwarden-tls-certs
- secret:
- items:
- - key: tls.crt
- path: cert.pem
- - key: tls.key
- path: key.pem
- - key: ca.crt
- path: ca.pem
- secretName: bitwarden-tls-certs
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/tests/deployment_test.yaml b/charts/external-secrets/charts/bitwarden-sdk-server/tests/deployment_test.yaml
deleted file mode 100644
index bb4e2f4..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/tests/deployment_test.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-suite: test deployment
-templates:
- - deployment.yaml
-tests:
- - it: deployment should match snapshot
- set:
- image.tag: v0.8.0
- asserts:
- - matchSnapshot: {}
diff --git a/charts/external-secrets/charts/bitwarden-sdk-server/values.yaml b/charts/external-secrets/charts/bitwarden-sdk-server/values.yaml
deleted file mode 100644
index f0424af..0000000
--- a/charts/external-secrets/charts/bitwarden-sdk-server/values.yaml
+++ /dev/null
@@ -1,98 +0,0 @@
-# Default values for bitwarden-sdk-server.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
- repository: ghcr.io/external-secrets/bitwarden-sdk-server
- pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
- tag: ""
- tls:
- enabled: true
- volumeMounts:
- - mountPath: "/certs"
- name: "bitwarden-tls-certs"
- volumes:
- - name: "bitwarden-tls-certs"
- secret:
- secretName: "bitwarden-tls-certs"
- items:
- - key: "tls.crt"
- path: "cert.pem"
- - key: "tls.key"
- path: "key.pem"
- - key: "ca.crt"
- path: "ca.pem"
-
-imagePullSecrets: []
-nameOverride: "bitwarden-sdk-server"
-fullnameOverride: "bitwarden-sdk-server"
-
-serviceAccount:
- # Specifies whether a service account should be created
- create: true
- # Annotations to add to the service account
- annotations: {}
- # The name of the service account to use.
- # If not set and create is true, a name is generated using the fullname template
- name: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
- # fsGroup: 2000
-
-securityContext: {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
-
-service:
- type: ClusterIP
- port: 9998
-
-ingress:
- enabled: false
- className: ""
- annotations: {}
- # kubernetes.io/ingress.class: nginx
- # kubernetes.io/tls-acme: "true"
- hosts:
- - host: chart-example.local
- paths:
- - path: /
- pathType: ImplementationSpecific
- tls: []
- # - secretName: chart-example-tls
- # hosts:
- # - chart-example.local
-
-resources: {}
- # We usually recommend not to specify default resources and to leave this as a conscious
- # choice for the user. This also increases chances charts run on environments with little
- # resources, such as Minikube. If you do want to specify resources, uncomment the following
- # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # requests:
- # cpu: 100m
- # memory: 128Mi
-
-autoscaling:
- enabled: false
- minReplicas: 1
- maxReplicas: 100
- targetCPUUtilizationPercentage: 80
- # targetMemoryUtilizationPercentage: 80
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
diff --git a/charts/external-secrets/ci/main-values.yaml b/charts/external-secrets/ci/main-values.yaml
new file mode 100644
index 0000000..75eb234
--- /dev/null
+++ b/charts/external-secrets/ci/main-values.yaml
@@ -0,0 +1,2 @@
+image:
+ tag: main
diff --git a/charts/external-secrets/files/monitoring/grafana-dashboard.json b/charts/external-secrets/files/monitoring/grafana-dashboard.json
deleted file mode 100644
index 2a299aa..0000000
--- a/charts/external-secrets/files/monitoring/grafana-dashboard.json
+++ /dev/null
@@ -1,1961 +0,0 @@
-{
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": {
- "type": "grafana",
- "uid": "-- Grafana --"
- },
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "target": {
- "limit": 100,
- "matchAny": false,
- "tags": [],
- "type": "dashboard"
- },
- "type": "dashboard"
- }
- ]
- },
- "editable": true,
- "fiscalYearStartMonth": 0,
- "graphTooltip": 0,
- "id": 27,
- "links": [],
- "liveNow": false,
- "panels": [
- {
- "collapsed": false,
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 99,
- "panels": [],
- "title": "SLIs",
- "type": "row"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 7,
- "w": 4,
- "x": 0,
- "y": 1
- },
- "id": 118,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"secretstore\", result=\"error\"}[15m])))\n/\n(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"secretstore\"}[15m])))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "SecretStore error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 7,
- "w": 4,
- "x": 4,
- "y": 1
- },
- "id": 121,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"clustersecretstore\", result=\"error\"}[15m])))\n/\n(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"clustersecretstore\"}[15m])))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "ClusterSecretStore error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 4,
- "x": 8,
- "y": 1
- },
- "id": 119,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"externalsecret\", result=\"error\"}[15m])))\n/\n(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"externalsecret\"}[15m])))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "ExternalSecret error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 4,
- "x": 12,
- "y": 1
- },
- "id": 120,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "(sum(irate(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"clusterexternalsecret\", result=\"error\"}[15m])))\n/\n(sum(irate(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"clusterexternalsecret\"}[15m])))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "ClusterExternalSecret error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 7,
- "w": 4,
- "x": 16,
- "y": 1
- },
- "id": 122,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"pushsecret\", result=\"error\"}[15m])))\n/\n(sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"pushsecret\"}[15m])))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "PushSecret error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 7,
- "w": 4,
- "x": 20,
- "y": 1
- },
- "id": 123,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "sum(increase(externalsecret_provider_api_calls_count{service=~\".*external-secrets.*\", status=\"error\"}[15m]))\n/\nsum(increase(externalsecret_provider_api_calls_count{service=~\".*external-secrets.*\"}[15m]))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Provider error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 10
- }
- ]
- },
- "unit": "none"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 7,
- "w": 8,
- "x": 8,
- "y": 7
- },
- "id": 147,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "sum(\n workqueue_depth{service=~\"external-secrets.*\"}\n) by (name)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Workqueue depth",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 4,
- "x": 0,
- "y": 8
- },
- "id": 145,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "sum(increase(controller_runtime_webhook_requests_total{service=~\"external-secrets.*\",code=\"500\"}[15m]))\n/\nsum(increase(controller_runtime_webhook_requests_total{service=~\"external-secrets.*\"}[15m]))",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Webhook error rate [15m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 100
- }
- ]
- },
- "unit": "s"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 4,
- "x": 4,
- "y": 8
- },
- "id": 146,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.99,\n sum(rate(controller_runtime_webhook_latency_seconds_bucket{service=~\"external-secrets.*\"}[5m])) by (le)\n)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Webhook latency [5m]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 10
- }
- ]
- },
- "unit": "s"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 4,
- "x": 16,
- "y": 8
- },
- "id": 148,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.99,\n sum(rate(controller_runtime_reconcile_time_seconds_bucket{service=~\"external-secrets.*\"}[5m])) by (le)\n)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Reconcile latency [p99]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 4,
- "x": 20,
- "y": 8
- },
- "id": 149,
- "options": {
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showThresholdLabels": false,
- "showThresholdMarkers": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "sum(increase(controller_runtime_reconcile_total{service=~\"external-secrets.*\",controller=~\"$controller\",result=\"error\"}[1m]))\n/\nsum(increase(controller_runtime_reconcile_total{service=~\"external-secrets.*\",controller=~\"$controller\"}[1m]))\n> 0",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "reconcile error rate [p99]",
- "type": "gauge"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "min": 0,
- "thresholds": {
- "mode": "percentage",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "#EAB839",
- "value": 1
- }
- ]
- },
- "unit": "none"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 8,
- "x": 0,
- "y": 14
- },
- "id": 124,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "increase(externalsecret_provider_api_calls_count{service=~\".*external-secrets.*\", status=\"error\"}[15m])",
- "legendFormat": "{{provider}}/{{call}}",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Provider errors [15m]",
- "type": "timeseries"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "custom": {
- "align": "auto",
- "cellOptions": {
- "type": "auto"
- },
- "filterable": false,
- "inspect": false
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "Value"
- },
- "properties": [
- {
- "id": "custom.hidden",
- "value": true
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Time"
- },
- "properties": [
- {
- "id": "custom.hidden",
- "value": true
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 8,
- "w": 7,
- "x": 8,
- "y": 14
- },
- "id": 125,
- "options": {
- "cellHeight": "sm",
- "footer": {
- "countRows": false,
- "fields": [],
- "reducer": [
- "sum"
- ],
- "show": false
- },
- "showHeader": true
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(externalsecret_status_condition{condition=\"Ready\",status=\"False\"}) by (namespace, name) == 1",
- "format": "table",
- "instant": true,
- "legendFormat": "{{provider}}/{{call}}",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "Not Ready ExternalSecrets [15m]",
- "transformations": [],
- "type": "table"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 9,
- "x": 15,
- "y": 14
- },
- "id": 126,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "editorMode": "code",
- "expr": "sum(increase(externalsecret_sync_calls_error[15m])) by (name, namespace)",
- "legendFormat": "{{namespace}}/{{name}}",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "ExternalSecret sync call errors [15m]",
- "type": "timeseries"
- },
- {
- "collapsed": true,
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 22
- },
- "id": 27,
- "panels": [
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 12,
- "x": 0,
- "y": 16
- },
- "id": 53,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(increase(controller_runtime_webhook_requests_total{service=~\".*external-secrets.*\"}[1m])) by (webhook)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "requests by path per minute",
- "type": "timeseries"
- },
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 12,
- "x": 12,
- "y": 16
- },
- "id": 67,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(controller_runtime_webhook_requests_in_flight{service=~\".*external-secrets.*\"}) by (webhook)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "requests in flight",
- "type": "timeseries"
- },
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 12,
- "x": 0,
- "y": 24
- },
- "id": 80,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(increase(controller_runtime_webhook_requests_total{service=~\".*external-secrets.*\"}[1m])) by (code)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "requests by code per minute",
- "type": "timeseries"
- },
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "custom": {
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "scaleDistribution": {
- "type": "linear"
- }
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 12,
- "x": 12,
- "y": 24
- },
- "id": 54,
- "options": {
- "calculate": false,
- "cellGap": 1,
- "color": {
- "exponent": 0.5,
- "fill": "dark-orange",
- "mode": "scheme",
- "reverse": false,
- "scale": "exponential",
- "scheme": "Oranges",
- "steps": 64
- },
- "exemplars": {
- "color": "rgba(255,0,255,0.7)"
- },
- "filterValues": {
- "le": 1e-9
- },
- "legend": {
- "show": true
- },
- "rowsFrame": {
- "layout": "auto"
- },
- "tooltip": {
- "show": true,
- "yHistogram": false
- },
- "yAxis": {
- "axisPlacement": "left",
- "reverse": false
- }
- },
- "pluginVersion": "9.5.2",
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(rate(controller_runtime_webhook_latency_seconds_bucket{service=~\".*external-secrets.*\"}[$__rate_interval])) by (le)",
- "legendFormat": "{{le}}",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "webhook latency",
- "type": "heatmap"
- }
- ],
- "title": "Admission Control Webhook",
- "type": "row"
- },
- {
- "collapsed": true,
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 23
- },
- "id": 17,
- "panels": [
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 7,
- "x": 0,
- "y": 17
- },
- "id": 2,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(controller_runtime_active_workers{service=~\".*external-secrets.*\",controller=~\"$controller\"}) by (controller)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "active workers by controller",
- "type": "timeseries"
- },
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 8,
- "x": 7,
- "y": 17
- },
- "id": 37,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(workqueue_depth{service=~\".*external-secrets.*\"}) by (name)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "workqueue depth",
- "type": "timeseries"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 9,
- "x": 15,
- "y": 17
- },
- "id": 15,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(increase(externalsecret_provider_api_calls_count{service=~\".*external-secrets.*\"}[1m])) by(provider, call, status)",
- "legendFormat": "{{provider}}/{{call}}={{status}}",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "API calls by provider",
- "type": "timeseries"
- },
- {
- "datasource": "$datasource",
- "description": "",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 3.4285714285714284,
- "x": 0,
- "y": 25
- },
- "id": 5,
- "maxPerRow": 12,
- "options": {
- "colorMode": "value",
- "graphMode": "area",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "textMode": "auto"
- },
- "pluginVersion": "9.5.2",
- "repeat": "controller",
- "repeatDirection": "h",
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(controller_runtime_max_concurrent_reconciles{service=~\".*external-secrets.*\",controller=\"$controller\"}) by (controller)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "max concurrent: $controller",
- "type": "stat"
- },
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- },
- {
- "color": "red",
- "value": 80
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 3.4285714285714284,
- "x": 0,
- "y": 31
- },
- "id": 3,
- "maxPerRow": 8,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "mode": "single",
- "sort": "none"
- }
- },
- "repeat": "controller",
- "repeatDirection": "h",
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "sum(increase(controller_runtime_reconcile_total{service=~\".*external-secrets.*\",controller=~\"$controller\"}[1m])) by (result)",
- "legendFormat": "__auto",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "reconcile rate per minute: $controller",
- "type": "timeseries"
- },
- {
- "datasource": "$datasource",
- "fieldConfig": {
- "defaults": {
- "custom": {
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "scaleDistribution": {
- "type": "linear"
- }
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 8,
- "w": 3.4285714285714284,
- "x": 0,
- "y": 39
- },
- "id": 39,
- "maxPerRow": 8,
- "options": {
- "calculate": false,
- "cellGap": 1,
- "cellValues": {
- "unit": "short"
- },
- "color": {
- "exponent": 0.5,
- "fill": "dark-orange",
- "mode": "scheme",
- "reverse": false,
- "scale": "exponential",
- "scheme": "Oranges",
- "steps": 10
- },
- "exemplars": {
- "color": "rgba(255,0,255,0.7)"
- },
- "filterValues": {
- "le": 1e-9
- },
- "legend": {
- "show": true
- },
- "rowsFrame": {
- "layout": "auto"
- },
- "tooltip": {
- "show": true,
- "yHistogram": false
- },
- "yAxis": {
- "axisPlacement": "left",
- "max": "5",
- "min": 0,
- "reverse": false,
- "unit": "s"
- }
- },
- "pluginVersion": "9.5.2",
- "repeat": "controller",
- "repeatDirection": "h",
- "targets": [
- {
- "datasource": "$datasource",
- "editorMode": "code",
- "expr": "rate(controller_runtime_reconcile_time_seconds_bucket{service=~\".*external-secrets.*\",controller=~\"$controller\"}[$__rate_interval])",
- "legendFormat": "{{le}}",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "reconcile time latency: $controller",
- "type": "heatmap"
- }
- ],
- "title": "Controllers",
- "type": "row"
- }
- ],
- "refresh": "",
- "revision": 1,
- "schemaVersion": 38,
- "style": "dark",
- "tags": [],
- "templating": {
- "list": [
- {
- "current": {
- "selected": false,
- "text": "Prometheus",
- "value": "Prometheus"
- },
- "hide": 0,
- "includeAll": false,
- "multi": false,
- "name": "datasource",
- "options": [],
- "query": "prometheus",
- "queryValue": "",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- },
- {
- "allValue": ".*",
- "current": {
- "selected": false,
- "text": "All",
- "value": "$__all"
- },
- "datasource": {
- "type": "prometheus",
- "uid": "$datasource"
- },
- "definition": "label_values(controller_runtime_active_workers{service=~\".*external-secrets.*\"}, controller)",
- "hide": 0,
- "includeAll": true,
- "multi": true,
- "name": "controller",
- "options": [],
- "query": {
- "query": "label_values(controller_runtime_active_workers{service=~\".*external-secrets.*\"}, controller)",
- "refId": "StandardVariableQuery"
- },
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "sort": 0,
- "type": "query"
- }
- ]
- },
- "time": {
- "from": "now-1h",
- "to": "now"
- },
- "timepicker": {},
- "timezone": "",
- "title": "External Secrets Operator",
- "uid": "n4IdKaJVk",
- "version": 9,
- "weekStart": ""
-}
diff --git a/charts/external-secrets/templates/NOTES.txt b/charts/external-secrets/templates/NOTES.txt
index ffa0fc7..2887d22 100644
--- a/charts/external-secrets/templates/NOTES.txt
+++ b/charts/external-secrets/templates/NOTES.txt
@@ -1,7 +1,8 @@
-external-secrets has been deployed successfully in namespace {{ template "external-secrets.namespace" . }}!
+external-secrets has been deployed successfully!
In order to begin using ExternalSecrets, you will need to set up a SecretStore
or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
More information on the different types of SecretStores and how to configure them
can be found in our Github: {{ .Chart.Home }}
+
diff --git a/charts/external-secrets/templates/_helpers.tpl b/charts/external-secrets/templates/_helpers.tpl
index d47f516..92031fe 100644
--- a/charts/external-secrets/templates/_helpers.tpl
+++ b/charts/external-secrets/templates/_helpers.tpl
@@ -23,17 +23,6 @@ If release name contains chart name it will be used as a full name.
{{- end }}
{{- end }}
-{{/*
-Define namespace of chart, useful for multi-namespace deployments
-*/}}
-{{- define "external-secrets.namespace" -}}
-{{- if .Values.namespaceOverride }}
-{{- .Values.namespaceOverride }}
-{{- else }}
-{{- .Release.Namespace }}
-{{- end }}
-{{- end }}
-
{{/*
Create chart name and version as used by the chart label.
*/}}
@@ -66,26 +55,6 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
-{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }}
-app.kubernetes.io/metrics: "webhook"
-{{- with .Values.webhook.service.labels }}
-{{ toYaml . }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{- define "external-secrets-webhook.annotations" -}}
-{{- if or .Values.webhook.service.annotations (and .Values.webhook.metrics.service.enabled .Values.webhook.metrics.service.annotations) -}}
-annotations:
-{{- with .Values.webhook.service.annotations }}
- {{- toYaml . | nindent 2 }}
-{{- end }}
-{{- if .Values.webhook.metrics.service.enabled }}
-{{- with .Values.webhook.metrics.service.annotations }}
- {{- toYaml . | nindent 2 }}
-{{- end }}
-{{- end }}
-{{- end }}
{{- end }}
{{- define "external-secrets-webhook-metrics.labels" -}}
@@ -106,9 +75,6 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
-{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }}
-app.kubernetes.io/metrics: "cert-controller"
-{{- end }}
{{- end }}
{{- define "external-secrets-cert-controller-metrics.labels" -}}
@@ -167,55 +133,3 @@ Create the name of the service account to use
{{- end }}
{{- end }}
-{{/*
-Determine the image to use, including if using a flavour.
-*/}}
-{{- define "external-secrets.image" -}}
-{{- if .image.flavour -}}
-{{ printf "%s:%s-%s" .image.repository (.image.tag | default .chartAppVersion) .image.flavour }}
-{{- else }}
-{{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }}
-{{- end }}
-{{- end }}
-
-{{/*
-Renders a complete tree, even values that contains template.
-*/}}
-{{- define "external-secrets.render" -}}
- {{- if typeIs "string" .value }}
- {{- tpl .value .context }}
- {{ else }}
- {{- tpl (.value | toYaml) .context }}
- {{- end }}
-{{- end -}}
-
-{{/*
-Return true if the OpenShift is the detected platform
-Usage:
-{{- include "external-secrets.isOpenShift" . -}}
-*/}}
-{{- define "external-secrets.isOpenShift" -}}
-{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
-{{- true -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Render the securityContext based on the provided securityContext
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}}
-*/}}
-{{- define "external-secrets.renderSecurityContext" -}}
-{{- $adaptedContext := .securityContext -}}
-{{- if .context.Values.global.compatibility -}}
- {{- if .context.Values.global.compatibility.openshift -}}
- {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "external-secrets.isOpenShift" .context)) -}}
- {{/* Remove OpenShift managed fields */}}
- {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
- {{- if not .securityContext.seLinuxOptions -}}
- {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
- {{- end -}}
- {{- end -}}
- {{- end -}}
-{{- end -}}
-{{- omit $adaptedContext "enabled" | toYaml -}}
-{{- end -}}
diff --git a/charts/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/templates/cert-controller-deployment.yaml
index a843f04..51083e5 100644
--- a/charts/external-secrets/templates/cert-controller-deployment.yaml
+++ b/charts/external-secrets/templates/cert-controller-deployment.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.certController.create (not .Values.webhook.certManager.enabled) }}
+{{- if and .Values.certController.create (not .Values.webhook.certManager.enable) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- with .Values.certController.deploymentAnnotations }}
@@ -35,40 +35,31 @@ spec:
serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
{{- with .Values.certController.podSecurityContext }}
- {{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
- {{- end }}
+ {{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.certController.hostNetwork }}
containers:
- name: cert-controller
{{- with .Values.certController.securityContext }}
- {{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
{{- end }}
- {{- end }}
- image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }}
+ image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
args:
- certcontroller
- --crd-requeue-interval={{ .Values.certController.requeueInterval }}
- --service-name={{ include "external-secrets.fullname" . }}-webhook
- - --service-namespace={{ template "external-secrets.namespace" . }}
+ - --service-namespace={{ .Release.Namespace }}
- --secret-name={{ include "external-secrets.fullname" . }}-webhook
- - --secret-namespace={{ template "external-secrets.namespace" . }}
+ - --secret-namespace={{ .Release.Namespace }}
- --metrics-addr=:{{ .Values.certController.metrics.listen.port }}
- --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}
- - --loglevel={{ .Values.certController.log.level }}
- - --zap-time-encoding={{ .Values.certController.log.timeEncoding }}
- {{- if not .Values.crds.createClusterSecretStore }}
+ {{ if not .Values.crds.createClusterSecretStore -}}
- --crd-names=externalsecrets.external-secrets.io
- --crd-names=secretstores.external-secrets.io
- {{- end }}
- {{- if .Values.installCRDs }}
- - --enable-partial-cache=true
- {{- end }}
+ {{- end -}}
{{- range $key, $value := .Values.certController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
@@ -102,19 +93,19 @@ spec:
volumes:
{{- toYaml .Values.certController.extraVolumes | nindent 8 }}
{{- end }}
- {{- with .Values.certController.nodeSelector | default .Values.global.nodeSelector }}
+ {{- with .Values.certController.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.certController.affinity | default .Values.global.affinity }}
+ {{- with .Values.certController.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.certController.tolerations | default .Values.global.tolerations }}
+ {{- with .Values.certController.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.certController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+ {{- with .Values.certController.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
diff --git a/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml b/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml
index e61cb8e..5eca1a9 100644
--- a/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml
+++ b/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml
@@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-pdb
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
spec:
diff --git a/charts/external-secrets/templates/cert-controller-rbac.yaml b/charts/external-secrets/templates/cert-controller-rbac.yaml
index 84a0c11..62dbe3f 100644
--- a/charts/external-secrets/templates/cert-controller-rbac.yaml
+++ b/charts/external-secrets/templates/cert-controller-rbac.yaml
@@ -21,17 +21,9 @@ rules:
resources:
- "validatingwebhookconfigurations"
verbs:
+ - "get"
- "list"
- "watch"
- - "get"
- - apiGroups:
- - "admissionregistration.k8s.io"
- resources:
- - "validatingwebhookconfigurations"
- resourceNames:
- - "secretstore-validate"
- - "externalsecret-validate"
- verbs:
- "update"
- "patch"
- apiGroups:
@@ -81,6 +73,6 @@ roleRef:
name: {{ include "external-secrets.fullname" . }}-cert-controller
subjects:
- name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
{{- end }}
diff --git a/charts/external-secrets/templates/cert-controller-service.yaml b/charts/external-secrets/templates/cert-controller-service.yaml
index 2114915..570dc04 100644
--- a/charts/external-secrets/templates/cert-controller-service.yaml
+++ b/charts/external-secrets/templates/cert-controller-service.yaml
@@ -1,23 +1,16 @@
-{{- if and .Values.certController.create ( or .Values.certController.metrics.service.enabled ( and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled )) (not .Values.webhook.certManager.enabled) }}
+{{- if and .Values.certController.create .Values.certController.metrics.service.enabled (not .Values.webhook.certManager.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
- namespace: {{ template "external-secrets.namespace" . }}
labels:
- {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+ {{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
- {{- if .Values.service.ipFamilyPolicy }}
- ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
- {{- end }}
- {{- if .Values.service.ipFamilies }}
- ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
- {{- end }}
ports:
- port: {{ .Values.certController.metrics.service.port }}
protocol: TCP
diff --git a/charts/external-secrets/templates/cert-controller-serviceaccount.yaml b/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
index 6a36f9d..4fb0644 100644
--- a/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
+++ b/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- with .Values.certController.serviceAccount.extraLabels }}
diff --git a/charts/external-secrets/templates/crds/acraccesstoken.yaml b/charts/external-secrets/templates/crds/acraccesstoken.yaml
index 3caae5c..3d5919c 100644
--- a/charts/external-secrets/templates/crds/acraccesstoken.yaml
+++ b/charts/external-secrets/templates/crds/acraccesstoken.yaml
@@ -9,57 +9,36 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: acraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- - external-secrets
- - external-secrets-generators
+ - acraccesstoken
kind: ACRAccessToken
listKind: ACRAccessTokenList
plural: acraccesstokens
+ shortNames:
+ - acraccesstoken
singular: acraccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
- description: |-
- ACRAccessToken returns an Azure Container Registry token
- that can be used for pushing/pulling images.
- Note: by default it will return an ACR Refresh Token with full access
- (depending on the identity).
- This can be scoped down to the repository level using .spec.scope.
- In case scope is defined it will return an ACR Access Token.
-
- See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+ description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
- description: |-
- ACRAccessTokenSpec defines how to generate the access token
- e.g. how to authenticate and which registry to use.
- see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+ description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
properties:
auth:
properties:
@@ -74,60 +53,32 @@ spec:
description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
properties:
secretRef:
- description: |-
- Configuration used to authenticate with Azure using static
- credentials stored in a Kind=Secret.
+ description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
properties:
clientId:
description: The Azure clientId of the service principle used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
clientSecret:
description: The Azure ClientSecret of the service principle used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -138,31 +89,18 @@ spec:
description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
properties:
serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -171,11 +109,7 @@ spec:
type: object
environmentType:
default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
enum:
- PublicCloud
- USGovernmentCloud
@@ -183,21 +117,10 @@ spec:
- GermanCloud
type: string
registry:
- description: |-
- the domain name of the ACR registry
- e.g. foobarexample.azurecr.io
+ description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
type: string
scope:
- description: |-
- Define the scope for the access token, e.g. pull/push access for a repository.
- if not provided it will return a refresh token that has full scope.
- Note: you need to pin it down to the repository level, there is no wildcard available.
-
- examples:
- repository:my-repository:pull,push
- repository:my-repository:pull
-
- see docs for details: https://docs.docker.com/registry/spec/auth/scope/
+ description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
type: string
tenantId:
description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
@@ -211,4 +134,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/clusterexternalsecret.yaml b/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
index 33ecf1c..b71734e 100644
--- a/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
+++ b/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
@@ -9,15 +9,13 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: clusterexternalsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- - external-secrets
+ - externalsecrets
kind: ClusterExternalSecret
listKind: ClusterExternalSecretList
plural: clusterexternalsecrets
@@ -36,25 +34,16 @@ spec:
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- name: v1
+ name: v1beta1
schema:
openAPIV3Schema:
description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -74,12 +63,7 @@ spec:
type: object
type: object
externalSecretName:
- description: |-
- The name of the external secrets to be created.
- Defaults to the name of the ClusterExternalSecret
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
type: string
externalSecretSpec:
description: The spec for the ExternalSecrets to be created
@@ -90,9 +74,7 @@ spec:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
properties:
remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
+ description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
properties:
conversionStrategy:
default: Default
@@ -130,51 +112,24 @@ spec:
- key
type: object
secretKey:
- description: The key in the Kubernetes Secret to store the value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
type: string
sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
+ description: SourceRef allows you to override the source from which the value will pulled from.
maxProperties: 1
- minProperties: 1
properties:
generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
-
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
+ description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1."
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- kind
@@ -184,19 +139,13 @@ spec:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
type: object
required:
@@ -205,15 +154,11 @@ spec:
type: object
type: array
dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
+ description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
items:
properties:
extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
properties:
conversionStrategy:
default: Default
@@ -251,9 +196,7 @@ spec:
- key
type: object
find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
properties:
conversionStrategy:
default: Default
@@ -288,15 +231,11 @@ spec:
type: object
type: object
rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+ description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
items:
properties:
regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
+ description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
properties:
source:
description: Used to define the regular expression of a re.Compiler.
@@ -309,14 +248,10 @@ spec:
- target
type: object
transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
+ description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
properties:
template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
+ description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
type: string
required:
- template
@@ -324,15 +259,8 @@ spec:
type: object
type: array
sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
+ description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
maxProperties: 1
- minProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource.
@@ -342,27 +270,10 @@ spec:
description: Specify the apiVersion of the generator resource
type: string
kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- kind
@@ -372,75 +283,42 @@ spec:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
type: object
type: object
type: array
refreshInterval:
default: 1h
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
+ description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
target:
default:
creationPolicy: Owner
deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
+ description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
+ description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
enum:
- Owner
- Orphan
@@ -449,9 +327,7 @@ spec:
type: string
deletionPolicy:
default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
+ description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
enum:
- Delete
- Merge
@@ -461,12 +337,7 @@ spec:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
@@ -477,11 +348,9 @@ spec:
type: object
engineVersion:
default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
+ description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum:
+ - v1
- v2
type: string
mergePolicy:
@@ -508,14 +377,9 @@ spec:
configMap:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
templateAs:
default: Values
@@ -528,10 +392,6 @@ spec:
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
@@ -542,14 +402,9 @@ spec:
secret:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
templateAs:
default: Values
@@ -562,10 +417,6 @@ spec:
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
@@ -586,109 +437,39 @@ spec:
type: object
type: object
namespaceSelector:
- description: |-
- The labels to select by to find the Namespaces to create the ExternalSecrets in.
- Deprecated: Use NamespaceSelectors instead.
+ description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
- x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
- x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
- namespaceSelectors:
- description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
- items:
- description: |-
- A label selector is a label query over a set of resources. The result of matchLabels and
- matchExpressions are ANDed. An empty label selector matches all objects. A null
- label selector matches no objects.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: array
namespaces:
- description: |-
- Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
- Deprecated: Use NamespaceSelectors instead.
+ description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.
items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: array
refreshTime:
@@ -743,721 +524,16 @@ spec:
storage: true
subresources:
status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
- name: Store
- type: string
- - jsonPath: .spec.refreshTime
- name: Refresh Interval
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
- properties:
- externalSecretMetadata:
- description: The metadata of the external secrets to be created
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- externalSecretName:
- description: |-
- The name of the external secrets to be created.
- Defaults to the name of the ClusterExternalSecret
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- externalSecretSpec:
- description: The spec for the ExternalSecrets to be created
- properties:
- data:
- description: Data defines the connection between the Kubernetes Secret keys and the Provider data
- items:
- description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
- properties:
- remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider value, if supported
- type: string
- required:
- - key
- type: object
- secretKey:
- description: The key in the Kubernetes Secret to store the value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
-
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- required:
- - remoteRef
- - secretKey
- type: object
- type: array
- dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
- items:
- properties:
- extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider value, if supported
- type: string
- required:
- - key
- type: object
- find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- name:
- description: Finds secrets based on the name.
- properties:
- regexp:
- description: Finds secrets base
- type: string
- type: object
- path:
- description: A root path to start the find operations.
- type: string
- tags:
- additionalProperties:
- type: string
- description: Find secrets based on tags.
- type: object
- type: object
- rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
- items:
- properties:
- regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
- properties:
- source:
- description: Used to define the regular expression of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern of a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- type: array
- sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: GeneratorRef points to a generator custom resource.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- type: object
- type: array
- refreshInterval:
- default: 1h
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
- type: string
- secretStoreRef:
- description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- target:
- default:
- creationPolicy: Owner
- deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
- properties:
- creationPolicy:
- default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
- enum:
- - Owner
- - Orphan
- - Merge
- - None
- type: string
- deletionPolicy:
- default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
- enum:
- - Delete
- - Merge
- - Retain
- type: string
- immutable:
- description: Immutable defines if the final secret will be immutable
- type: boolean
- name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- template:
- description: Template defines a blueprint for the created Secret resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- properties:
- configMap:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- enum:
- - Data
- - Annotations
- - Labels
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- type: object
- type: object
- namespaceSelector:
- description: |-
- The labels to select by to find the Namespaces to create the ExternalSecrets in.
- Deprecated: Use NamespaceSelectors instead.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaceSelectors:
- description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
- items:
- description: |-
- A label selector is a label query over a set of resources. The result of matchLabels and
- matchExpressions are ANDed. An empty label selector matches all objects. A null
- label selector matches no objects.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: array
- namespaces:
- description: |-
- Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
- Deprecated: Use NamespaceSelectors instead.
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- refreshTime:
- description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
- type: string
- required:
- - externalSecretSpec
- type: object
- status:
- description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
- properties:
- conditions:
- items:
- properties:
- message:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- externalSecretName:
- description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
- type: string
- failedNamespaces:
- description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
- items:
- description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
- properties:
- namespace:
- description: Namespace is the namespace that failed when trying to apply an ExternalSecret
- type: string
- reason:
- description: Reason is why the ExternalSecret failed to apply to the namespace
- type: string
- required:
- - namespace
- type: object
- type: array
- provisionedNamespaces:
- description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
- items:
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/clustergenerator.yaml b/charts/external-secrets/templates/crds/clustergenerator.yaml
deleted file mode 100644
index a554443..0000000
--- a/charts/external-secrets/templates/crds/clustergenerator.yaml
+++ /dev/null
@@ -1,1837 +0,0 @@
-{{- if and (.Values.installCRDs) (.Values.crds.createClusterGenerator) }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: clustergenerators.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: ClusterGenerator
- listKind: ClusterGeneratorList
- plural: clustergenerators
- singular: clustergenerator
- scope: Cluster
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- generator:
- description: Generator the spec for this generator, must match the kind.
- maxProperties: 1
- minProperties: 1
- properties:
- acrAccessTokenSpec:
- description: |-
- ACRAccessTokenSpec defines how to generate the access token
- e.g. how to authenticate and which registry to use.
- see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
- properties:
- auth:
- properties:
- managedIdentity:
- description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
- properties:
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- type: object
- servicePrincipal:
- description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
- properties:
- secretRef:
- description: |-
- Configuration used to authenticate with Azure using static
- credentials stored in a Kind=Secret.
- properties:
- clientId:
- description: The Azure clientId of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- workloadIdentity:
- description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
- properties:
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- type: object
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- registry:
- description: |-
- the domain name of the ACR registry
- e.g. foobarexample.azurecr.io
- type: string
- scope:
- description: |-
- Define the scope for the access token, e.g. pull/push access for a repository.
- if not provided it will return a refresh token that has full scope.
- Note: you need to pin it down to the repository level, there is no wildcard available.
-
- examples:
- repository:my-repository:pull,push
- repository:my-repository:pull
-
- see docs for details: https://docs.docker.com/registry/spec/auth/scope/
- type: string
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
- type: string
- required:
- - auth
- - registry
- type: object
- ecrAuthorizationTokenSpec:
- properties:
- auth:
- description: Auth defines how to authenticate with AWS
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- region:
- description: Region specifies the region to operate in.
- type: string
- role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- scope:
- description: |-
- Scope specifies the ECR service scope.
- Valid options are private and public.
- type: string
- required:
- - region
- type: object
- fakeSpec:
- description: FakeSpec contains the static data.
- properties:
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters VDS based on this property
- type: string
- data:
- additionalProperties:
- type: string
- description: |-
- Data defines the static data returned
- by this generator.
- type: object
- type: object
- gcrAccessTokenSpec:
- properties:
- auth:
- description: Auth defines the means for authenticating with GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- projectID:
- description: ProjectID defines which project to use to authenticate with
- type: string
- required:
- - auth
- - projectID
- type: object
- githubAccessTokenSpec:
- properties:
- appID:
- type: string
- auth:
- description: Auth configures how ESO authenticates with a Github instance.
- properties:
- privateKey:
- properties:
- secretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - secretRef
- type: object
- required:
- - privateKey
- type: object
- installID:
- type: string
- permissions:
- additionalProperties:
- type: string
- description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
- type: object
- repositories:
- description: |-
- List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
- is installed to.
- items:
- type: string
- type: array
- url:
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installID
- type: object
- grafanaSpec:
- description: GrafanaSpec controls the behavior of the grafana generator.
- properties:
- auth:
- description: |-
- Auth is the authentication configuration to authenticate
- against the Grafana instance.
- properties:
- basic:
- description: |-
- Basic auth credentials used to authenticate against the Grafana instance.
- Note: you need a token which has elevated permissions to create service accounts.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- properties:
- password:
- description: A basic auth password used to authenticate against the Grafana instance.
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- username:
- description: A basic auth username used to authenticate against the Grafana instance.
- type: string
- required:
- - password
- - username
- type: object
- token:
- description: |-
- A service account token used to authenticate against the Grafana instance.
- Note: you need a token which has elevated permissions to create service accounts.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- serviceAccount:
- description: |-
- ServiceAccount is the configuration for the service account that
- is supposed to be generated by the generator.
- properties:
- name:
- description: Name is the name of the service account that will be created by ESO.
- type: string
- role:
- description: |-
- Role is the role of the service account.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- type: string
- required:
- - name
- - role
- type: object
- url:
- description: URL is the URL of the Grafana instance.
- type: string
- required:
- - auth
- - serviceAccount
- - url
- type: object
- passwordSpec:
- description: PasswordSpec controls the behavior of the password generator.
- properties:
- allowRepeat:
- default: false
- description: set AllowRepeat to true to allow repeating characters.
- type: boolean
- digits:
- description: |-
- Digits specifies the number of digits in the generated
- password. If omitted it defaults to 25% of the length of the password
- type: integer
- length:
- default: 24
- description: |-
- Length of the password to be generated.
- Defaults to 24
- type: integer
- noUpper:
- default: false
- description: Set NoUpper to disable uppercase characters
- type: boolean
- symbolCharacters:
- description: |-
- SymbolCharacters specifies the special characters that should be used
- in the generated password.
- type: string
- symbols:
- description: |-
- Symbols specifies the number of symbol characters in the generated
- password. If omitted it defaults to 25% of the length of the password
- type: integer
- required:
- - allowRepeat
- - length
- - noUpper
- type: object
- quayAccessTokenSpec:
- properties:
- robotAccount:
- description: Name of the robot account you are federating with
- type: string
- serviceAccountRef:
- description: Name of the service account you are federating with
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- url:
- description: URL configures the Quay instance URL. Defaults to quay.io.
- type: string
- required:
- - robotAccount
- - serviceAccountRef
- type: object
- stsSessionTokenSpec:
- properties:
- auth:
- description: Auth defines how to authenticate with AWS
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- region:
- description: Region specifies the region to operate in.
- type: string
- requestParameters:
- description: RequestParameters contains parameters that can be passed to the STS service.
- properties:
- serialNumber:
- description: |-
- SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
- the GetSessionToken call.
- Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
- (such as arn:aws:iam::123456789012:mfa/user)
- type: string
- sessionDuration:
- description: |-
- SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
- IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
- (12 hours) as the default.
- format: int64
- type: integer
- tokenCode:
- description: TokenCode is the value provided by the MFA device, if MFA is required.
- type: string
- type: object
- role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- required:
- - region
- type: object
- uuidSpec:
- description: UUIDSpec controls the behavior of the uuid generator.
- type: object
- vaultDynamicSecretSpec:
- properties:
- allowEmptyResponse:
- default: false
- description: Do not fail if no secrets are found. Useful for requests where no data is expected.
- type: boolean
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters VDS based on this property
- type: string
- method:
- description: Vault API method to use (GET/POST/other)
- type: string
- parameters:
- description: Parameters to pass to Vault write (for non-GET methods)
- x-kubernetes-preserve-unknown-fields: true
- path:
- description: Vault path to obtain the dynamic secret from
- type: string
- provider:
- description: Vault provider common spec
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing username/password pair
- properties:
- path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - server
- type: object
- resultType:
- default: Data
- description: |-
- Result type defines which data is returned from the generator.
- By default it is the "data" section of the Vault API response.
- When using e.g. /auth/token/create the "data" section is empty but
- the "auth" section contains the generated token.
- Please refer to the vault docs regarding the result data structure.
- Additionally, accessing the raw response is possibly by using "Raw" result type.
- enum:
- - Data
- - Auth
- - Raw
- type: string
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - path
- - provider
- type: object
- webhookSpec:
- description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
- properties:
- auth:
- description: Auth specifies a authorization protocol. Only one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- type: object
- kind:
- description: Kind the kind of this generator.
- enum:
- - ACRAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- required:
- - generator
- - kind
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/clusterpushsecret.yaml b/charts/external-secrets/templates/crds/clusterpushsecret.yaml
deleted file mode 100644
index 93b39bf..0000000
--- a/charts/external-secrets/templates/crds/clusterpushsecret.yaml
+++ /dev/null
@@ -1,523 +0,0 @@
-{{- if and (.Values.installCRDs) (.Values.crds.createClusterPushSecret) }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: clusterpushsecrets.external-secrets.io
-spec:
- group: external-secrets.io
- names:
- categories:
- - external-secrets
- kind: ClusterPushSecret
- listKind: ClusterPushSecretList
- plural: clusterpushsecrets
- singular: clusterpushsecret
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- namespaceSelectors:
- description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
- items:
- description: |-
- A label selector is a label query over a set of resources. The result of matchLabels and
- matchExpressions are ANDed. An empty label selector matches all objects. A null
- label selector matches no objects.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: array
- pushSecretMetadata:
- description: The metadata of the external secrets to be created
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- pushSecretName:
- description: |-
- The name of the push secrets to be created.
- Defaults to the name of the ClusterPushSecret
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- pushSecretSpec:
- description: PushSecretSpec defines what to do with the secrets.
- properties:
- data:
- description: Secret Data that should be pushed to providers
- items:
- properties:
- conversionStrategy:
- default: None
- description: Used to define a conversion Strategy for the secret keys
- enum:
- - None
- - ReverseUnicode
- type: string
- match:
- description: Match a given Secret Key to be pushed to the provider.
- properties:
- remoteRef:
- description: Remote Refs to push to providers.
- properties:
- property:
- description: Name of the property in the resulting secret
- type: string
- remoteKey:
- description: Name of the resulting provider secret.
- type: string
- required:
- - remoteKey
- type: object
- secretKey:
- description: Secret Key to be pushed
- type: string
- required:
- - remoteRef
- type: object
- metadata:
- description: |-
- Metadata is metadata attached to the secret.
- The structure of metadata is provider specific, please look it up in the provider documentation.
- x-kubernetes-preserve-unknown-fields: true
- required:
- - match
- type: object
- type: array
- deletionPolicy:
- default: None
- description: Deletion Policy to handle Secrets in the provider.
- enum:
- - Delete
- - None
- type: string
- refreshInterval:
- default: 1h
- description: The Interval to which External Secrets will try to push a secret definition
- type: string
- secretStoreRefs:
- items:
- properties:
- kind:
- default: SecretStore
- description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- labelSelector:
- description: Optionally, sync to secret stores with label selector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- name:
- description: Optionally, sync to the SecretStore of the given name
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: array
- selector:
- description: The Secret Selector (k8s source) for the Push Secret
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: Point to a generator to create a Secret.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- secret:
- description: Select a Secret to Push.
- properties:
- name:
- description: |-
- Name of the Secret.
- The Secret must exist in the same namespace as the PushSecret manifest.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- selector:
- description: Selector chooses secrets using a labelSelector.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: object
- template:
- description: Template defines a blueprint for the created Secret resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- properties:
- configMap:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
- items:
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- enum:
- - Data
- - Annotations
- - Labels
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- updatePolicy:
- default: Replace
- description: UpdatePolicy to handle Secrets in the provider.
- enum:
- - Replace
- - IfNotExists
- type: string
- required:
- - secretStoreRefs
- - selector
- type: object
- refreshTime:
- description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
- type: string
- required:
- - pushSecretSpec
- type: object
- status:
- properties:
- conditions:
- items:
- description: PushSecretStatusCondition indicates the status of the PushSecret.
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- description: PushSecretConditionType indicates the condition of the PushSecret.
- type: string
- required:
- - status
- - type
- type: object
- type: array
- failedNamespaces:
- description: Failed namespaces are the namespaces that failed to apply an PushSecret
- items:
- description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
- properties:
- namespace:
- description: Namespace is the namespace that failed when trying to apply an PushSecret
- type: string
- reason:
- description: Reason is why the PushSecret failed to apply to the namespace
- type: string
- required:
- - namespace
- type: object
- type: array
- provisionedNamespaces:
- description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
- items:
- type: string
- type: array
- pushSecretName:
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/templates/crds/clustersecretstore.yaml
index f9ed1b4..ea9ac26 100644
--- a/charts/external-secrets/templates/crds/clustersecretstore.yaml
+++ b/charts/external-secrets/templates/crds/clustersecretstore.yaml
@@ -9,15 +9,13 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: clustersecretstores.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- - external-secrets
+ - externalsecrets
kind: ClusterSecretStore
listKind: ClusterSecretStoreList
plural: clustersecretstores
@@ -33,107 +31,25 @@ spec:
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1
+ deprecated: true
+ name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SecretStoreSpec defines the desired state of SecretStore.
properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- type: object
- type: array
controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
type: string
provider:
description: Used to configure the provider. Only one provider may be set
@@ -150,9 +66,7 @@ spec:
description: Auth configures how the operator authenticates with Akeyless.
properties:
kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
+ description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
properties:
accessID:
description: the Akeyless Kubernetes auth-method access-id
@@ -161,63 +75,31 @@ spec:
description: Kubernetes-auth configuration name in Akeyless-Gateway
type: string
secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -227,123 +109,64 @@ spec:
- k8sConfName
type: object
secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
+ description: Reference to a Secret that contains the details to authenticate with Akeyless.
properties:
accessID:
description: The SecretAccessID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
type: object
caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
properties:
key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key the value inside of the provider type to use, only used with "Secret" type
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -389,52 +212,1219 @@ spec:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
accessKeySecretSecretRef:
description: The AccessKeySecret is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ auth:
+ description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the SecretManager provider will assume
+ type: string
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ properties:
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ serviceAccount:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ required:
+ - auth
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: Compartment is the vault compartment OCID. Required for PushSecret
+ type: string
+ encryptionKey:
+ description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
+ type: string
+ principalType:
+ description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+ type: string
+ roleId:
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ cert:
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+ properties:
+ clientCert:
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ jwt:
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+ type: string
+ role:
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+ type: string
+ secretRef:
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+ type: string
+ role:
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+ type: string
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caBundle:
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ namespace:
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+ type: string
+ path:
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+ type: string
+ readYourWrites:
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ version:
+ default: v2
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.capabilities
+ name: Capabilities
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ conditions:
+ description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ items:
+ description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
+ properties:
+ namespaceSelector:
+ description: Choose namespace using a labelSelector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Choose namespaces by name
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ controller:
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: Reference to a Secret that contains the details to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -458,10 +1448,7 @@ spec:
type: string
type: array
auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
properties:
jwt:
description: Authenticate against AWS using service account tokens.
@@ -470,115 +1457,60 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
type: object
secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
properties:
accessKeyIDSecretRef:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -586,9 +1518,6 @@ spec:
externalID:
description: AWS External ID set on assumed IAM roles
type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
region:
description: AWS Region to be used for the provider
type: string
@@ -599,20 +1528,10 @@ spec:
description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
properties:
forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
+ description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
type: boolean
recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
+ description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
format: int64
type: integer
type: object
@@ -648,120 +1567,38 @@ spec:
description: AzureKV configures this store to sync secrets using Azure Key Vault provider
properties:
authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
+ description: The Azure clientId of the service principle used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
clientSecret:
description: The Azure ClientSecret of the service principle used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
authType:
default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
enum:
- ServicePrincipal
- ManagedIdentity
@@ -769,11 +1606,7 @@ spec:
type: string
environmentType:
default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
enum:
- PublicCloud
- USGovernmentCloud
@@ -784,37 +1617,24 @@ spec:
description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
type: string
serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
type: string
vaultUrl:
description: Vault Url from which the secrets to be fetched from.
@@ -822,492 +1642,39 @@ spec:
required:
- vaultUrl
type: object
- beyondtrust:
- description: Beyondtrust configures this store to sync secrets using Password Safe provider.
- properties:
- auth:
- description: Auth configures how the operator authenticates with Beyondtrust.
- properties:
- apiKey:
- description: APIKey If not provided then ClientID/ClientSecret become required.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificate:
- description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientId:
- description: ClientID is the API OAuth Client ID.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the API OAuth Client Secret.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- type: object
- server:
- description: Auth configures how API server works.
- properties:
- apiUrl:
- type: string
- apiVersion:
- type: string
- clientTimeOutSeconds:
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
- type: integer
- retrievalType:
- description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
- type: string
- separator:
- description: A character that separates the folder names.
- type: string
- verifyCA:
- type: boolean
- required:
- - apiUrl
- - verifyCA
- type: object
- required:
- - auth
- - server
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- cloudrusm:
- description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
- properties:
- auth:
- description: CSMAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- projectID:
- description: ProjectID is the project, which the secrets are stored in.
- type: string
- required:
- - auth
- type: object
conjur:
description: Conjur configures this store to sync secrets using conjur provider
properties:
auth:
- description: Defines authentication settings for connecting to Conjur.
properties:
apikey:
- description: Authenticates with Conjur using an API key.
properties:
account:
- description: Account is the Conjur organization account name.
type: string
apiKeyRef:
- description: |-
- A reference to a specific 'key' containing the Conjur API key
- within a Secret resource. In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
userRef:
- description: |-
- A reference to a specific 'key' containing the Conjur username
- within a Secret resource. In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -1316,70 +1683,35 @@ spec:
- userRef
type: object
jwt:
- description: Jwt enables JWT authentication using Kubernetes service account tokens.
properties:
account:
- description: Account is the Conjur organization account name.
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
type: string
secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
+ description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -1393,33 +1725,18 @@ spec:
type: object
type: object
caBundle:
- description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
type: string
caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
+ description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -1432,16 +1749,13 @@ spec:
- type
type: object
url:
- description: URL is the endpoint of the Conjur instance.
type: string
required:
- auth
- url
type: object
delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
properties:
clientId:
description: ClientID is the non-secret part of the credential.
@@ -1450,26 +1764,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -1483,26 +1784,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -1513,65 +1801,16 @@ spec:
description: Tenant is the chosen hostname / site name.
type: string
tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
+ description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
type: string
urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
type: string
required:
- clientId
- clientSecret
- tenant
type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
doppler:
description: Doppler configures this store to sync secrets using the Doppler provider
properties:
@@ -1581,32 +1820,16 @@ spec:
secretRef:
properties:
dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
+ description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -1653,53 +1876,20 @@ spec:
type: string
value:
type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+ type: object
version:
type: string
required:
- key
- - value
type: object
type: array
required:
- data
type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
gcpsm:
description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
properties:
@@ -1712,152 +1902,51 @@ spec:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
workloadIdentity:
properties:
clusterLocation:
- description: |-
- ClusterLocation is the location of the cluster
- If not specified, it fetches information from the metadata server
type: string
clusterName:
- description: |-
- ClusterName is the name of the cluster
- If not specified, it fetches information from the metadata server
type: string
clusterProjectID:
- description: |-
- ClusterProjectID is the project ID of the cluster
- If not specified, it fetches information from the metadata server
type: string
serviceAccountRef:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
required:
+ - clusterLocation
+ - clusterName
- serviceAccountRef
type: object
type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
projectID:
description: ProjectID project where secret is located
type: string
type: object
- github:
- description: Github configures this store to push Github Action secrets using Github API provider
- properties:
- appID:
- description: appID specifies the Github APP that will be used to authenticate the client
- format: int64
- type: integer
- auth:
- description: auth configures how secret-manager authenticates with a Github instance.
- properties:
- privateKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKey
- type: object
- environment:
- description: environment will be used to fetch secrets from a particular environment within a github repository
- type: string
- installationID:
- description: installationID specifies the Github APP installation that will be used to authenticate the client
- format: int64
- type: integer
- organization:
- description: organization will be used to fetch secrets from the Github organization
- type: string
- repository:
- description: repository will be used to fetch secrets from the Github repository within an organization
- type: string
- uploadURL:
- description: Upload URL for enterprise instances. Default to URL.
- type: string
- url:
- default: https://github.com/
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installationID
- - organization
- type: object
gitlab:
description: GitLab configures this store to sync secrets using GitLab Variables provider
properties:
@@ -1870,26 +1959,13 @@ spec:
description: AccessToken is used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -1944,26 +2020,13 @@ spec:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -1974,137 +2037,20 @@ spec:
required:
- auth
type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
- type: string
- secretsScope:
- description: SecretsScope defines the scope of the secrets within the workspace
- properties:
- environmentSlug:
- description: EnvironmentSlug is the required slug identifier for the environment.
- type: string
- expandSecretReferences:
- default: true
- description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
- type: boolean
- projectSlug:
- description: ProjectSlug is the required slug identifier for the project.
- type: string
- recursive:
- default: false
- description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
- type: boolean
- secretsPath:
- default: /
- description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
keepersecurity:
description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
properties:
authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
folderID:
@@ -2125,59 +2071,29 @@ spec:
description: has both clientCert and clientKey as secretKeySelector
properties:
clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -2185,26 +2101,15 @@ spec:
description: points to a service account that should be used for authentication
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -2213,67 +2118,23 @@ spec:
description: use static token to authenticate with
properties:
bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
remoteNamespace:
default: default
description: Remote namespace to fetch the secrets from
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
server:
description: configures the Kubernetes server Address.
@@ -2287,23 +2148,12 @@ spec:
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -2320,88 +2170,8 @@ spec:
description: configures the Kubernetes server Address.
type: string
type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
required:
- - apiHost
- auth
- - environment
- - project
type: object
onepassword:
description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
@@ -2416,26 +2186,13 @@ spec:
description: The ConnectToken is used for authentication to a 1Password Connect Server.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -2461,9 +2218,7 @@ spec:
description: Oracle configures this store to sync secrets using Oracle Vault provider
properties:
auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
+ description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
properties:
secretRef:
description: SecretRef to pass through sensitive information.
@@ -2472,52 +2227,26 @@ spec:
description: Fingerprint is the fingerprint of the API private key.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
privatekey:
description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -2536,20 +2265,13 @@ spec:
- user
type: object
compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
+ description: Compartment is the vault compartment OCID. Required for PushSecret
type: string
encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
+ description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
type: string
principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
+ description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
enum:
- ""
- UserPrincipal
@@ -2560,31 +2282,18 @@ spec:
description: Region is the region where vault is located.
type: string
serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -2596,229 +2305,6 @@ spec:
- region
- vault
type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- previder:
- description: Previder configures this store to sync secrets using the Previder provider
- properties:
- auth:
- description: PreviderAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
- properties:
- accessToken:
- description: The AccessToken is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessToken
- type: object
- type: object
- baseUri:
- type: string
- required:
- - auth
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/esc
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- project:
- description: Project is the name of the Pulumi ESC project the environment belongs to.
- type: string
- required:
- - accessToken
- - environment
- - organization
- - project
- type: object
scaleway:
description: Scaleway
properties:
@@ -2829,26 +2315,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -2871,26 +2344,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -2903,87 +2363,6 @@ spec:
- region
- secretKey
type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
senhasegura:
description: Senhasegura configures this store to sync secrets using senhasegura provider
properties:
@@ -2993,31 +2372,16 @@ spec:
clientId:
type: string
clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -3046,79 +2410,39 @@ spec:
description: Auth configures how secret-manager authenticates with the Vault server.
properties:
appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
properties:
path:
default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
type: string
roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
type: string
roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
+ description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -3126,71 +2450,37 @@ spec:
- secretRef
type: object
cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
properties:
clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
+ description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
properties:
externalID:
description: AWS External ID set on assumed IAM roles
@@ -3202,26 +2492,15 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -3243,81 +2522,39 @@ spec:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -3331,57 +2568,33 @@ spec:
- vaultRole
type: object
jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
properties:
kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
properties:
audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
+ description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
items:
type: string
type: array
expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
+ description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
format: int64
type: integer
serviceAccountRef:
description: Service account field containing the name of a kubernetes ServiceAccount.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -3391,120 +2604,63 @@ spec:
type: object
path:
default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
type: string
role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
type: string
secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
- path
type: object
kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
properties:
mountPath:
default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
type: string
role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
type: string
secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -3514,130 +2670,67 @@ spec:
- role
type: object
ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
properties:
path:
default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
type: string
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
type: string
required:
- path
- username
type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
tokenSecretRef:
description: TokenSecretRef authenticates with Vault by presenting a token.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
userPass:
description: UserPass authenticates with Vault by passing username/password pair
properties:
path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
+ default: user
+ description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
type: string
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
+ description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
+ description: Username is a user name used to authenticate using the UserPass Vault authentication method
type: string
required:
- path
@@ -3645,11 +2738,7 @@ spec:
type: object
type: object
caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
@@ -3657,23 +2746,12 @@ spec:
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -3686,222 +2764,52 @@ spec:
- type
type: object
forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
type: string
path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
type: string
readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
type: boolean
server:
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
version:
default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
enum:
- v1
- v2
type: string
required:
+ - auth
- server
type: object
webhook:
description: Webhook configures this store to sync secrets using a generic templated webhook
properties:
- auth:
- description: Auth specifies a authorization protocol. Only one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
body:
description: Body
type: string
caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
description: The provider for the CA bundle to use to validate webhook server certificate.
properties:
key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key the value inside of the provider type to use, only used with "Secret" type
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -3929,9 +2837,7 @@ spec:
type: string
type: object
secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
+ description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
items:
properties:
name:
@@ -3941,26 +2847,13 @@ spec:
description: Secret ref to fill in credentials
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -3991,26 +2884,13 @@ spec:
description: The authorized key used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4018,31 +2898,16 @@ spec:
description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
properties:
certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4062,26 +2927,13 @@ spec:
description: The authorized key used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4089,31 +2941,16 @@ spec:
description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
properties:
certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4167,4145 +3004,16 @@ spec:
storage: true
subresources:
status: {}
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS Secret Manager provider
- properties:
- additionalRoles:
- description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
- items:
- type: string
- type: array
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the provider will assume
- type: string
- secretsManager:
- description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
- properties:
- forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
- type: boolean
- recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
- format: int64
- type: integer
- type: object
- service:
- description: Service defines which service should be used to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- sessionTags:
- description: AWS STS assume role session tags
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- transitiveTagKeys:
- description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
- items:
- type: string
- type: array
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched from.
- type: string
- required:
- - vaultUrl
- type: object
- beyondtrust:
- description: Beyondtrust configures this store to sync secrets using Password Safe provider.
- properties:
- auth:
- description: Auth configures how the operator authenticates with Beyondtrust.
- properties:
- apiKey:
- description: APIKey If not provided then ClientID/ClientSecret become required.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificate:
- description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientId:
- description: ClientID is the API OAuth Client ID.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the API OAuth Client Secret.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- type: object
- server:
- description: Auth configures how API server works.
- properties:
- apiUrl:
- type: string
- apiVersion:
- type: string
- clientTimeOutSeconds:
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
- type: integer
- retrievalType:
- description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
- type: string
- separator:
- description: A character that separates the folder names.
- type: string
- verifyCA:
- type: boolean
- required:
- - apiUrl
- - verifyCA
- type: object
- required:
- - auth
- - server
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- cloudrusm:
- description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
- properties:
- auth:
- description: CSMAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- projectID:
- description: ProjectID is the project, which the secrets are stored in.
- type: string
- required:
- - auth
- type: object
- conjur:
- description: Conjur configures this store to sync secrets using conjur provider
- properties:
- auth:
- description: Defines authentication settings for connecting to Conjur.
- properties:
- apikey:
- description: Authenticates with Conjur using an API key.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- apiKeyRef:
- description: |-
- A reference to a specific 'key' containing the Conjur API key
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userRef:
- description: |-
- A reference to a specific 'key' containing the Conjur username
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - account
- - apiKeyRef
- - userRef
- type: object
- jwt:
- description: Jwt enables JWT authentication using Kubernetes service account tokens.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- serviceID:
- description: The conjur authn jwt webservice id
- type: string
- required:
- - account
- - serviceID
- type: object
- type: object
- caBundle:
- description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
- type: string
- caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- description: URL is the endpoint of the Conjur instance.
- type: string
- required:
- - auth
- - url
- type: object
- delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
- properties:
- clientId:
- description: ClientID is the non-secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- tenant:
- description: Tenant is the chosen hostname / site name.
- type: string
- tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
- type: string
- urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
- type: string
- required:
- - clientId
- - clientSecret
- - tenant
- type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Doppler API
- properties:
- secretRef:
- properties:
- dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - dopplerToken
- type: object
- required:
- - secretRef
- type: object
- config:
- description: Doppler config (required if not using a Service Token)
- type: string
- format:
- description: Format enables the downloading of secrets as a file (string)
- enum:
- - json
- - dotnet-json
- - env
- - yaml
- - docker
- type: string
- nameTransformer:
- description: Environment variable compatible name transforms that change secret names to a different format
- enum:
- - upper-camel
- - camel
- - lower-snake
- - tf-var
- - dotnet-env
- - lower-kebab
- type: string
- project:
- description: Doppler project (required if not using a Service Token)
- type: string
- required:
- - auth
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- version:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- required:
- - data
- type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- description: |-
- ClusterLocation is the location of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterName:
- description: |-
- ClusterName is the name of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterProjectID:
- description: |-
- ClusterProjectID is the project ID of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- github:
- description: Github configures this store to push Github Action secrets using Github API provider
- properties:
- appID:
- description: appID specifies the Github APP that will be used to authenticate the client
- format: int64
- type: integer
- auth:
- description: auth configures how secret-manager authenticates with a Github instance.
- properties:
- privateKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKey
- type: object
- environment:
- description: environment will be used to fetch secrets from a particular environment within a github repository
- type: string
- installationID:
- description: installationID specifies the Github APP installation that will be used to authenticate the client
- format: int64
- type: integer
- organization:
- description: organization will be used to fetch secrets from the Github organization
- type: string
- repository:
- description: repository will be used to fetch secrets from the Github repository within an organization
- type: string
- uploadURL:
- description: Upload URL for enterprise instances. Default to URL.
- type: string
- url:
- default: https://github.com/
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installationID
- - organization
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- environment:
- description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
- type: string
- groupIDs:
- description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
- items:
- type: string
- type: array
- inheritFromGroups:
- description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
- type: boolean
- projectID:
- description: ProjectID specifies a project where secrets are located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the IBM secrets manager.
- maxProperties: 1
- minProperties: 1
- properties:
- containerAuth:
- description: IBM Container-based auth with IAM Trusted Profile.
- properties:
- iamEndpoint:
- type: string
- profile:
- description: the IBM Trusted Profile
- type: string
- tokenLocation:
- description: Location the token is mounted on the pod
- type: string
- required:
- - profile
- type: object
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
- type: string
- secretsScope:
- description: SecretsScope defines the scope of the secrets within the workspace
- properties:
- environmentSlug:
- description: EnvironmentSlug is the required slug identifier for the environment.
- type: string
- expandSecretReferences:
- default: true
- description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
- type: boolean
- projectSlug:
- description: ProjectSlug is the required slug identifier for the project.
- type: string
- recursive:
- default: false
- description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
- type: boolean
- secretsPath:
- default: /
- description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
- keepersecurity:
- description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
- properties:
- authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- folderID:
- type: string
- required:
- - authRef
- - folderID
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be used for authentication
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
- required:
- - apiHost
- - auth
- - environment
- - project
- type: object
- onepassword:
- description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against OnePassword Connect Server
- properties:
- secretRef:
- description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
- properties:
- connectTokenSecretRef:
- description: The ConnectToken is used for authentication to a 1Password Connect Server.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - connectTokenSecretRef
- type: object
- required:
- - secretRef
- type: object
- connectHost:
- description: ConnectHost defines the OnePassword Connect Server to connect to
- type: string
- vaults:
- additionalProperties:
- type: integer
- description: Vaults defines which OnePassword vaults to search in which order
- type: object
- required:
- - auth
- - connectHost
- - vaults
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the API private key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- previder:
- description: Previder configures this store to sync secrets using the Previder provider
- properties:
- auth:
- description: PreviderAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
- properties:
- accessToken:
- description: The AccessToken is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessToken
- type: object
- type: object
- baseUri:
- type: string
- required:
- - auth
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/esc
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- project:
- description: Project is the name of the Pulumi ESC project the environment belongs to.
- type: string
- required:
- - accessToken
- - environment
- - organization
- - project
- type: object
- scaleway:
- description: Scaleway
- properties:
- accessKey:
- description: AccessKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- apiUrl:
- description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
- type: string
- projectId:
- description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
- type: string
- region:
- description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
- type: string
- secretKey:
- description: SecretKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - accessKey
- - projectId
- - region
- - secretKey
- type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
- senhasegura:
- description: Senhasegura configures this store to sync secrets using senhasegura provider
- properties:
- auth:
- description: Auth defines parameters to authenticate in senhasegura
- properties:
- clientId:
- type: string
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecretSecretRef
- type: object
- ignoreSslCertificate:
- default: false
- description: IgnoreSslCertificate defines if SSL certificate must be ignored
- type: boolean
- module:
- description: Module defines which senhasegura module should be used to get secrets
- type: string
- url:
- description: URL of senhasegura
- type: string
- required:
- - auth
- - module
- - url
- type: object
- vault:
- description: Vault configures this store to sync secrets using Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing username/password pair
- properties:
- path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using a generic templated webhook
- properties:
- auth:
- description: Auth specifies a authorization protocol. Only one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexcertificatemanager:
- description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- refreshInterval:
- description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
- type: integer
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- capabilities:
- description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml b/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
index 55d90a4..4eae527 100644
--- a/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
+++ b/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
@@ -9,47 +9,31 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: ecrauthorizationtokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- - external-secrets
- - external-secrets-generators
+ - ecrauthorizationtoken
kind: ECRAuthorizationToken
listKind: ECRAuthorizationTokenList
plural: ecrauthorizationtokens
+ shortNames:
+ - ecrauthorizationtoken
singular: ecrauthorizationtoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
- description: |-
- ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
- authorization token.
- The authorization token is valid for 12 hours.
- The authorizationToken returned is a base64 encoded string that can be decoded
- and used in a docker login command to authenticate to a registry.
- For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
+ description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -65,115 +49,60 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
type: object
secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
properties:
accessKeyIDSecretRef:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -182,14 +111,7 @@ spec:
description: Region specifies the region to operate in.
type: string
role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- scope:
- description: |-
- Scope specifies the ECR service scope.
- Valid options are private and public.
+ description: You can assume a role before making calls to the desired AWS service.
type: string
required:
- region
@@ -199,4 +121,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/externalsecret.yaml b/charts/external-secrets/templates/crds/externalsecret.yaml
index a6f1e83..9d0fe9f 100644
--- a/charts/external-secrets/templates/crds/externalsecret.yaml
+++ b/charts/external-secrets/templates/crds/externalsecret.yaml
@@ -9,15 +9,13 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: externalsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- - external-secrets
+ - externalsecrets
kind: ExternalSecret
listKind: ExternalSecretList
plural: externalsecrets
@@ -27,9 +25,6 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- - jsonPath: .spec.secretStoreRef.kind
- name: StoreType
- type: string
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
@@ -39,28 +34,17 @@ spec:
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1
+ deprecated: true
+ name: v1alpha1
schema:
openAPIV3Schema:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -73,9 +57,7 @@ spec:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
properties:
remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
+ description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
@@ -84,25 +66,9 @@ spec:
- Default
- Unicode
type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
- enum:
- - None
- - Fetch
- type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
@@ -113,343 +79,69 @@ spec:
- key
type: object
secretKey:
- description: The key in the Kubernetes Secret to store the value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
- sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
-
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
+ description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
items:
+ description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
- extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- key:
- description: Key is the key used in the Provider, mandatory
- type: string
- metadataPolicy:
- default: None
- description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
- enum:
- - None
- - Fetch
- type: string
- property:
- description: Used to select a specific property of the Provider value (if a map), if supported
- type: string
- version:
- description: Used to select a specific version of the Provider value, if supported
- type: string
- required:
- - key
- type: object
- find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
- properties:
- conversionStrategy:
- default: Default
- description: Used to define a conversion Strategy
- enum:
- - Default
- - Unicode
- type: string
- decodingStrategy:
- default: None
- description: Used to define a decoding Strategy
- enum:
- - Auto
- - Base64
- - Base64URL
- - None
- type: string
- name:
- description: Finds secrets based on the name.
- properties:
- regexp:
- description: Finds secrets base
- type: string
- type: object
- path:
- description: A root path to start the find operations.
- type: string
- tags:
- additionalProperties:
- type: string
- description: Find secrets based on tags.
- type: object
- type: object
- rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
- items:
- properties:
- regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
- properties:
- source:
- description: Used to define the regular expression of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern of a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- type: array
- sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: GeneratorRef points to a generator custom resource.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- storeRef:
- description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
- properties:
- kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- name:
- description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
type: object
type: array
refreshInterval:
default: 1h
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
+ description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
target:
- default:
- creationPolicy: Owner
- deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
+ description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
+ description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
enum:
- Owner
- - Orphan
- Merge
- None
type: string
- deletionPolicy:
- default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
- enum:
- - Delete
- - Merge
- - Retain
- type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
@@ -459,20 +151,12 @@ spec:
type: string
type: object
engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
+ default: v1
+ description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum:
+ - v1
- v2
type: string
- mergePolicy:
- default: Replace
- enum:
- - Replace
- - Merge
- type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
@@ -487,86 +171,52 @@ spec:
type: object
templateFrom:
items:
+ maxProperties: 1
+ minProperties: 1
properties:
configMap:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
type: string
required:
- key
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
- name
type: object
- literal:
- type: string
secret:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- enum:
- - Values
- - KeysAndValues
type: string
required:
- key
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
- name
type: object
- target:
- default: Data
- enum:
- - Data
- - Annotations
- - Labels
- type: string
type: object
type: array
type:
type: string
type: object
type: object
+ required:
+ - secretStoreRef
+ - target
type: object
status:
properties:
@@ -574,13 +224,7 @@ spec:
description: Binding represents a servicebinding.io Provisioned Service reference to the secret
properties:
name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
@@ -604,9 +248,7 @@ spec:
type: object
type: array
refreshTime:
- description: |-
- refreshTime is the time and date the external secret was fetched and
- the target secret updated
+ description: refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
nullable: true
type: string
@@ -616,13 +258,10 @@ spec:
type: object
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
- additionalPrinterColumns:
- - jsonPath: .spec.secretStoreRef.kind
- name: StoreType
- type: string
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
@@ -641,19 +280,10 @@ spec:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -666,9 +296,7 @@ spec:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
properties:
remoteRef:
- description: |-
- RemoteRef points to the remote secret and defines
- which secret (version/property/..) to fetch.
+ description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
properties:
conversionStrategy:
default: Default
@@ -706,51 +334,24 @@ spec:
- key
type: object
secretKey:
- description: The key in the Kubernetes Secret to store the value.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
type: string
sourceRef:
- description: |-
- SourceRef allows you to override the source
- from which the value will be pulled.
+ description: SourceRef allows you to override the source from which the value will pulled from.
maxProperties: 1
- minProperties: 1
properties:
generatorRef:
- description: |-
- GeneratorRef points to a generator custom resource.
-
- Deprecated: The generatorRef is not implemented in .data[].
- this will be removed with v1.
+ description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1."
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- kind
@@ -760,19 +361,13 @@ spec:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
type: object
required:
@@ -781,15 +376,11 @@ spec:
type: object
type: array
dataFrom:
- description: |-
- DataFrom is used to fetch all properties from a specific Provider data
- If multiple entries are specified, the Secret keys are merged in the specified order
+ description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
items:
properties:
extract:
- description: |-
- Used to extract multiple key/value pairs from one secret
- Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
properties:
conversionStrategy:
default: Default
@@ -827,9 +418,7 @@ spec:
- key
type: object
find:
- description: |-
- Used to find secrets based on tags or regular expressions
- Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
properties:
conversionStrategy:
default: Default
@@ -864,15 +453,11 @@ spec:
type: object
type: object
rewrite:
- description: |-
- Used to rewrite secret Keys after getting them from the secret Provider
- Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+ description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
items:
properties:
regexp:
- description: |-
- Used to rewrite with regular expressions.
- The resulting key will be the output of a regexp.ReplaceAll operation.
+ description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
properties:
source:
description: Used to define the regular expression of a re.Compiler.
@@ -885,14 +470,10 @@ spec:
- target
type: object
transform:
- description: |-
- Used to apply string transformation on the secrets.
- The resulting key will be the output of the template applied by the operation.
+ description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
properties:
template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
+ description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template.
type: string
required:
- template
@@ -900,15 +481,8 @@ spec:
type: object
type: array
sourceRef:
- description: |-
- SourceRef points to a store or generator
- which contains secret values ready to use.
- Use this in combination with Extract or Find pull values out of
- a specific SecretStore.
- When sourceRef points to a generator Extract or Find is not supported.
- The generator returns a static map of values
+ description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
maxProperties: 1
- minProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource.
@@ -918,27 +492,10 @@ spec:
description: Specify the apiVersion of the generator resource
type: string
kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- kind
@@ -948,75 +505,42 @@ spec:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
type: object
type: object
type: array
refreshInterval:
default: 1h
- description: |-
- RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
- specified as Golang Duration strings.
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
- type: string
- refreshPolicy:
- description: |-
- RefreshPolicy determines how the ExternalSecret should be refreshed:
- - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
- No periodic updates occur if refreshInterval is 0.
- - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
- enum:
- - CreatedOnce
- - Periodic
- - OnChange
+ description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
- description: |-
- Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- Defaults to `SecretStore`
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - name
type: object
target:
default:
creationPolicy: Owner
deletionPolicy: Retain
- description: |-
- ExternalSecretTarget defines the Kubernetes Secret to be created
- There can be only one target per ExternalSecret.
+ description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
- description: |-
- CreationPolicy defines rules on how to create the resulting Secret.
- Defaults to "Owner"
+ description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
enum:
- Owner
- Orphan
@@ -1025,9 +549,7 @@ spec:
type: string
deletionPolicy:
default: Retain
- description: |-
- DeletionPolicy defines rules on how to delete the resulting Secret.
- Defaults to "Retain"
+ description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
enum:
- Delete
- Merge
@@ -1037,12 +559,7 @@ spec:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
- description: |-
- The name of the Secret resource to be managed.
- Defaults to the .metadata.name of the ExternalSecret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
@@ -1053,11 +570,9 @@ spec:
type: object
engineVersion:
default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
+ description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum:
+ - v1
- v2
type: string
mergePolicy:
@@ -1084,14 +599,9 @@ spec:
configMap:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
templateAs:
default: Values
@@ -1104,10 +614,6 @@ spec:
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
@@ -1118,14 +624,9 @@ spec:
secret:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
templateAs:
default: Values
@@ -1138,10 +639,6 @@ spec:
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
@@ -1167,13 +664,7 @@ spec:
description: Binding represents a servicebinding.io Provisioned Service reference to the secret
properties:
name:
- default: ""
- description: |-
- Name of the referent.
- This field is effectively required, but due to backwards compatibility is
- allowed to be empty. Instances of this type with an empty value here are
- almost certainly wrong.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
@@ -1197,9 +688,7 @@ spec:
type: object
type: array
refreshTime:
- description: |-
- refreshTime is the time and date the external secret was fetched and
- the target secret updated
+ description: refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
nullable: true
type: string
@@ -1209,7 +698,19 @@ spec:
type: object
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/fake.yaml b/charts/external-secrets/templates/crds/fake.yaml
index 41cb800..11fd839 100644
--- a/charts/external-secrets/templates/crds/fake.yaml
+++ b/charts/external-secrets/templates/crds/fake.yaml
@@ -9,43 +9,31 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: fakes.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- - external-secrets
- - external-secrets-generators
+ - fake
kind: Fake
listKind: FakeList
plural: fakes
+ shortNames:
+ - fake
singular: fake
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
- description: |-
- Fake generator is used for testing. It lets you define
- a static set of credentials that is always returned.
+ description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -53,16 +41,12 @@ spec:
description: FakeSpec contains the static data.
properties:
controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters VDS based on this property
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
type: string
data:
additionalProperties:
type: string
- description: |-
- Data defines the static data returned
- by this generator.
+ description: Data defines the static data returned by this generator.
type: object
type: object
type: object
@@ -70,4 +54,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/gcraccesstoken.yaml b/charts/external-secrets/templates/crds/gcraccesstoken.yaml
index cf7b781..f5bc903 100644
--- a/charts/external-secrets/templates/crds/gcraccesstoken.yaml
+++ b/charts/external-secrets/templates/crds/gcraccesstoken.yaml
@@ -9,43 +9,31 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: gcraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- - external-secrets
- - external-secrets-generators
+ - gcraccesstoken
kind: GCRAccessToken
listKind: GCRAccessTokenList
plural: gcraccesstokens
+ shortNames:
+ - gcraccesstoken
singular: gcraccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
- description: |-
- GCRAccessToken generates an GCP access token
- that can be used to authenticate with GCR.
+ description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -60,26 +48,13 @@ spec:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -95,26 +70,15 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -137,4 +101,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/generatorstate.yaml b/charts/external-secrets/templates/crds/generatorstate.yaml
deleted file mode 100644
index 58b7df3..0000000
--- a/charts/external-secrets/templates/crds/generatorstate.yaml
+++ /dev/null
@@ -1,110 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: generatorstates.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: GeneratorState
- listKind: GeneratorStateList
- plural: generatorstates
- shortNames:
- - gs
- singular: generatorstate
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .spec.garbageCollectionDeadline
- name: GC Deadline
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- garbageCollectionDeadline:
- description: |-
- GarbageCollectionDeadline is the time after which the generator state
- will be deleted.
- It is set by the controller which creates the generator state and
- can be set configured by the user.
- If the garbage collection deadline is not set the generator state will not be deleted.
- format: date-time
- type: string
- resource:
- description: |-
- Resource is the generator manifest that produced the state.
- It is a snapshot of the generator manifest at the time the state was produced.
- This manifest will be used to delete the resource. Any configuration that is referenced
- in the manifest should be available at the time of garbage collection. If that is not the case deletion will
- be blocked by a finalizer.
- x-kubernetes-preserve-unknown-fields: true
- state:
- description: State is the state that was produced by the generator implementation.
- x-kubernetes-preserve-unknown-fields: true
- required:
- - resource
- - state
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/githubaccesstoken.yaml b/charts/external-secrets/templates/crds/githubaccesstoken.yaml
deleted file mode 100644
index b4010d5..0000000
--- a/charts/external-secrets/templates/crds/githubaccesstoken.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: githubaccesstokens.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: GithubAccessToken
- listKind: GithubAccessTokenList
- plural: githubaccesstokens
- singular: githubaccesstoken
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: GithubAccessToken generates ghs_ accessToken
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- appID:
- type: string
- auth:
- description: Auth configures how ESO authenticates with a Github instance.
- properties:
- privateKey:
- properties:
- secretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - secretRef
- type: object
- required:
- - privateKey
- type: object
- installID:
- type: string
- permissions:
- additionalProperties:
- type: string
- description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
- type: object
- repositories:
- description: |-
- List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
- is installed to.
- items:
- type: string
- type: array
- url:
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installID
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/grafana.yaml b/charts/external-secrets/templates/crds/grafana.yaml
deleted file mode 100644
index 8b0a88a..0000000
--- a/charts/external-secrets/templates/crds/grafana.yaml
+++ /dev/null
@@ -1,139 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: grafanas.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: Grafana
- listKind: GrafanaList
- plural: grafanas
- singular: grafana
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: GrafanaSpec controls the behavior of the grafana generator.
- properties:
- auth:
- description: |-
- Auth is the authentication configuration to authenticate
- against the Grafana instance.
- properties:
- basic:
- description: |-
- Basic auth credentials used to authenticate against the Grafana instance.
- Note: you need a token which has elevated permissions to create service accounts.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- properties:
- password:
- description: A basic auth password used to authenticate against the Grafana instance.
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- username:
- description: A basic auth username used to authenticate against the Grafana instance.
- type: string
- required:
- - password
- - username
- type: object
- token:
- description: |-
- A service account token used to authenticate against the Grafana instance.
- Note: you need a token which has elevated permissions to create service accounts.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- serviceAccount:
- description: |-
- ServiceAccount is the configuration for the service account that
- is supposed to be generated by the generator.
- properties:
- name:
- description: Name is the name of the service account that will be created by ESO.
- type: string
- role:
- description: |-
- Role is the role of the service account.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- type: string
- required:
- - name
- - role
- type: object
- url:
- description: URL is the URL of the Grafana instance.
- type: string
- required:
- - auth
- - serviceAccount
- - url
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/password.yaml b/charts/external-secrets/templates/crds/password.yaml
index 5904005..0daa607 100644
--- a/charts/external-secrets/templates/crds/password.yaml
+++ b/charts/external-secrets/templates/crds/password.yaml
@@ -9,44 +9,31 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: passwords.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- - external-secrets
- - external-secrets-generators
+ - password
kind: Password
listKind: PasswordList
plural: passwords
+ shortNames:
+ - password
singular: password
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
- description: |-
- Password generates a random password based on the
- configuration parameters in spec.
- You can specify the length, characterset and other attributes.
+ description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -58,29 +45,21 @@ spec:
description: set AllowRepeat to true to allow repeating characters.
type: boolean
digits:
- description: |-
- Digits specifies the number of digits in the generated
- password. If omitted it defaults to 25% of the length of the password
+ description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
type: integer
length:
default: 24
- description: |-
- Length of the password to be generated.
- Defaults to 24
+ description: Length of the password to be generated. Defaults to 24
type: integer
noUpper:
default: false
description: Set NoUpper to disable uppercase characters
type: boolean
symbolCharacters:
- description: |-
- SymbolCharacters specifies the special characters that should be used
- in the generated password.
+ description: SymbolCharacters specifies the special characters that should be used in the generated password.
type: string
symbols:
- description: |-
- Symbols specifies the number of symbol characters in the generated
- password. If omitted it defaults to 25% of the length of the password
+ description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
type: integer
required:
- allowRepeat
@@ -92,4 +71,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/pushsecret.yaml b/charts/external-secrets/templates/crds/pushsecret.yaml
index e0e145b..306eafe 100644
--- a/charts/external-secrets/templates/crds/pushsecret.yaml
+++ b/charts/external-secrets/templates/crds/pushsecret.yaml
@@ -9,20 +9,16 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: pushsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- - external-secrets
+ - pushsecrets
kind: PushSecret
listKind: PushSecretList
plural: pushsecrets
- shortNames:
- - ps
singular: pushsecret
scope: Namespaced
versions:
@@ -38,19 +34,10 @@ spec:
openAPIV3Schema:
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
@@ -61,13 +48,6 @@ spec:
description: Secret Data that should be pushed to providers
items:
properties:
- conversionStrategy:
- default: None
- description: Used to define a conversion Strategy for the secret keys
- enum:
- - None
- - ReverseUnicode
- type: string
match:
description: Match a given Secret Key to be pushed to the provider.
properties:
@@ -90,9 +70,7 @@ spec:
- remoteRef
type: object
metadata:
- description: |-
- Metadata is metadata attached to the secret.
- The structure of metadata is provider specific, please look it up in the provider documentation.
+ description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
x-kubernetes-preserve-unknown-fields: true
required:
- match
@@ -100,13 +78,12 @@ spec:
type: array
deletionPolicy:
default: None
- description: Deletion Policy to handle Secrets in the provider.
+ description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
enum:
- Delete
- None
type: string
refreshInterval:
- default: 1h
description: The Interval to which External Secrets will try to push a secret definition
type: string
secretStoreRefs:
@@ -114,10 +91,7 @@ spec:
properties:
kind:
default: SecretStore
- description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
- enum:
- - SecretStore
- - ClusterSecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
labelSelector:
description: Optionally, sync to secret stores with label selector
@@ -125,147 +99,50 @@ spec:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
- x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
- x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
name:
description: Optionally, sync to the SecretStore of the given name
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
type: array
selector:
description: The Secret Selector (k8s source) for the Push Secret
- maxProperties: 1
- minProperties: 1
properties:
- generatorRef:
- description: Point to a generator to create a Secret.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
secret:
description: Select a Secret to Push.
properties:
name:
- description: |-
- Name of the Secret.
- The Secret must exist in the same namespace as the PushSecret manifest.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
type: string
- selector:
- description: Selector chooses secrets using a labelSelector.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
+ required:
+ - name
type: object
+ required:
+ - secret
type: object
template:
description: Template defines a blueprint for the created Secret resource.
@@ -276,11 +153,9 @@ spec:
type: object
engineVersion:
default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
+ description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
enum:
+ - v1
- v2
type: string
mergePolicy:
@@ -307,14 +182,9 @@ spec:
configMap:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
templateAs:
default: Values
@@ -327,10 +197,6 @@ spec:
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
@@ -341,14 +207,9 @@ spec:
secret:
properties:
items:
- description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
items:
properties:
key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
templateAs:
default: Values
@@ -361,10 +222,6 @@ spec:
type: object
type: array
name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
@@ -382,13 +239,6 @@ spec:
type:
type: string
type: object
- updatePolicy:
- default: Replace
- description: UpdatePolicy to handle Secrets in the provider.
- enum:
- - Replace
- - IfNotExists
- type: string
required:
- secretStoreRefs
- selector
@@ -418,9 +268,7 @@ spec:
type: object
type: array
refreshTime:
- description: |-
- refreshTime is the time and date the external secret was fetched and
- the target secret updated
+ description: refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
nullable: true
type: string
@@ -428,13 +276,6 @@ spec:
additionalProperties:
additionalProperties:
properties:
- conversionStrategy:
- default: None
- description: Used to define a conversion Strategy for the secret keys
- enum:
- - None
- - ReverseUnicode
- type: string
match:
description: Match a given Secret Key to be pushed to the provider.
properties:
@@ -457,17 +298,13 @@ spec:
- remoteRef
type: object
metadata:
- description: |-
- Metadata is metadata attached to the secret.
- The structure of metadata is provider specific, please look it up in the provider documentation.
+ description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
x-kubernetes-preserve-unknown-fields: true
required:
- match
type: object
type: object
- description: |-
- Synced PushSecrets, including secrets that already exist in provider.
- Matches secret stores to PushSecretData that was stored to that secret store.
+ description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
type: object
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced version.
@@ -478,4 +315,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/quayaccesstoken.yaml b/charts/external-secrets/templates/crds/quayaccesstoken.yaml
deleted file mode 100644
index 32619c3..0000000
--- a/charts/external-secrets/templates/crds/quayaccesstoken.yaml
+++ /dev/null
@@ -1,95 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: quayaccesstokens.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: QuayAccessToken
- listKind: QuayAccessTokenList
- plural: quayaccesstokens
- singular: quayaccesstoken
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: QuayAccessToken generates Quay oauth token for pulling/pushing images
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- robotAccount:
- description: Name of the robot account you are federating with
- type: string
- serviceAccountRef:
- description: Name of the service account you are federating with
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- url:
- description: URL configures the Quay instance URL. Defaults to quay.io.
- type: string
- required:
- - robotAccount
- - serviceAccountRef
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/templates/crds/secretstore.yaml
index 2c1de2a..20adc87 100644
--- a/charts/external-secrets/templates/crds/secretstore.yaml
+++ b/charts/external-secrets/templates/crds/secretstore.yaml
@@ -9,15 +9,13 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: secretstores.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- - external-secrets
+ - externalsecrets
kind: SecretStore
listKind: SecretStoreList
plural: secretstores
@@ -33,107 +31,25 @@ spec:
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1
+ deprecated: true
+ name: v1alpha1
schema:
openAPIV3Schema:
description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SecretStoreSpec defines the desired state of SecretStore.
properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- type: object
- type: array
controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
type: string
provider:
description: Used to configure the provider. Only one provider may be set
@@ -150,9 +66,7 @@ spec:
description: Auth configures how the operator authenticates with Akeyless.
properties:
kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
+ description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
properties:
accessID:
description: the Akeyless Kubernetes auth-method access-id
@@ -161,63 +75,31 @@ spec:
description: Kubernetes-auth configuration name in Akeyless-Gateway
type: string
secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -227,123 +109,64 @@ spec:
- k8sConfName
type: object
secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
+ description: Reference to a Secret that contains the details to authenticate with Akeyless.
properties:
accessID:
description: The SecretAccessID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
type: object
caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
properties:
key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key the value inside of the provider type to use, only used with "Secret" type
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -389,52 +212,1219 @@ spec:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
accessKeySecretSecretRef:
description: The AccessKeySecret is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ auth:
+ description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the SecretManager provider will assume
+ type: string
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ properties:
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ serviceAccount:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ required:
+ - auth
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: Compartment is the vault compartment OCID. Required for PushSecret
+ type: string
+ encryptionKey:
+ description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
+ type: string
+ principalType:
+ description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+ type: string
+ roleId:
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ cert:
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+ properties:
+ clientCert:
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ jwt:
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+ type: string
+ role:
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+ type: string
+ secretRef:
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+ type: string
+ role:
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+ type: string
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caBundle:
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ namespace:
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+ type: string
+ path:
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+ type: string
+ readYourWrites:
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ version:
+ default: v2
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.capabilities
+ name: Capabilities
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ conditions:
+ description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ items:
+ description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
+ properties:
+ namespaceSelector:
+ description: Choose namespace using a labelSelector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Choose namespaces by name
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ controller:
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: Reference to a Secret that contains the details to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -458,10 +1448,7 @@ spec:
type: string
type: array
auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
properties:
jwt:
description: Authenticate against AWS using service account tokens.
@@ -470,115 +1457,60 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
type: object
secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
properties:
accessKeyIDSecretRef:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -586,9 +1518,6 @@ spec:
externalID:
description: AWS External ID set on assumed IAM roles
type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
region:
description: AWS Region to be used for the provider
type: string
@@ -599,20 +1528,10 @@ spec:
description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
properties:
forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
+ description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
type: boolean
recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
+ description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
format: int64
type: integer
type: object
@@ -648,120 +1567,38 @@ spec:
description: AzureKV configures this store to sync secrets using Azure Key Vault provider
properties:
authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
+ description: The Azure clientId of the service principle used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
clientSecret:
description: The Azure ClientSecret of the service principle used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
authType:
default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
enum:
- ServicePrincipal
- ManagedIdentity
@@ -769,11 +1606,7 @@ spec:
type: string
environmentType:
default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
enum:
- PublicCloud
- USGovernmentCloud
@@ -784,37 +1617,24 @@ spec:
description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
type: string
serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
type: string
vaultUrl:
description: Vault Url from which the secrets to be fetched from.
@@ -822,492 +1642,39 @@ spec:
required:
- vaultUrl
type: object
- beyondtrust:
- description: Beyondtrust configures this store to sync secrets using Password Safe provider.
- properties:
- auth:
- description: Auth configures how the operator authenticates with Beyondtrust.
- properties:
- apiKey:
- description: APIKey If not provided then ClientID/ClientSecret become required.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificate:
- description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientId:
- description: ClientID is the API OAuth Client ID.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the API OAuth Client Secret.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- type: object
- server:
- description: Auth configures how API server works.
- properties:
- apiUrl:
- type: string
- apiVersion:
- type: string
- clientTimeOutSeconds:
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
- type: integer
- retrievalType:
- description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
- type: string
- separator:
- description: A character that separates the folder names.
- type: string
- verifyCA:
- type: boolean
- required:
- - apiUrl
- - verifyCA
- type: object
- required:
- - auth
- - server
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- cloudrusm:
- description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
- properties:
- auth:
- description: CSMAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- projectID:
- description: ProjectID is the project, which the secrets are stored in.
- type: string
- required:
- - auth
- type: object
conjur:
description: Conjur configures this store to sync secrets using conjur provider
properties:
auth:
- description: Defines authentication settings for connecting to Conjur.
properties:
apikey:
- description: Authenticates with Conjur using an API key.
properties:
account:
- description: Account is the Conjur organization account name.
type: string
apiKeyRef:
- description: |-
- A reference to a specific 'key' containing the Conjur API key
- within a Secret resource. In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
userRef:
- description: |-
- A reference to a specific 'key' containing the Conjur username
- within a Secret resource. In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -1316,70 +1683,35 @@ spec:
- userRef
type: object
jwt:
- description: Jwt enables JWT authentication using Kubernetes service account tokens.
properties:
account:
- description: Account is the Conjur organization account name.
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
type: string
secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
+ description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -1393,33 +1725,18 @@ spec:
type: object
type: object
caBundle:
- description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
type: string
caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
+ description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -1432,16 +1749,13 @@ spec:
- type
type: object
url:
- description: URL is the endpoint of the Conjur instance.
type: string
required:
- auth
- url
type: object
delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
properties:
clientId:
description: ClientID is the non-secret part of the credential.
@@ -1450,26 +1764,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -1483,26 +1784,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -1513,65 +1801,16 @@ spec:
description: Tenant is the chosen hostname / site name.
type: string
tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
+ description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
type: string
urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
type: string
required:
- clientId
- clientSecret
- tenant
type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
doppler:
description: Doppler configures this store to sync secrets using the Doppler provider
properties:
@@ -1581,32 +1820,16 @@ spec:
secretRef:
properties:
dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
+ description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -1653,53 +1876,20 @@ spec:
type: string
value:
type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+ type: object
version:
type: string
required:
- key
- - value
type: object
type: array
required:
- data
type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
gcpsm:
description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
properties:
@@ -1712,152 +1902,51 @@ spec:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
workloadIdentity:
properties:
clusterLocation:
- description: |-
- ClusterLocation is the location of the cluster
- If not specified, it fetches information from the metadata server
type: string
clusterName:
- description: |-
- ClusterName is the name of the cluster
- If not specified, it fetches information from the metadata server
type: string
clusterProjectID:
- description: |-
- ClusterProjectID is the project ID of the cluster
- If not specified, it fetches information from the metadata server
type: string
serviceAccountRef:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
type: object
required:
+ - clusterLocation
+ - clusterName
- serviceAccountRef
type: object
type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
projectID:
description: ProjectID project where secret is located
type: string
type: object
- github:
- description: Github configures this store to push Github Action secrets using Github API provider
- properties:
- appID:
- description: appID specifies the Github APP that will be used to authenticate the client
- format: int64
- type: integer
- auth:
- description: auth configures how secret-manager authenticates with a Github instance.
- properties:
- privateKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKey
- type: object
- environment:
- description: environment will be used to fetch secrets from a particular environment within a github repository
- type: string
- installationID:
- description: installationID specifies the Github APP installation that will be used to authenticate the client
- format: int64
- type: integer
- organization:
- description: organization will be used to fetch secrets from the Github organization
- type: string
- repository:
- description: repository will be used to fetch secrets from the Github repository within an organization
- type: string
- uploadURL:
- description: Upload URL for enterprise instances. Default to URL.
- type: string
- url:
- default: https://github.com/
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installationID
- - organization
- type: object
gitlab:
description: GitLab configures this store to sync secrets using GitLab Variables provider
properties:
@@ -1870,26 +1959,13 @@ spec:
description: AccessToken is used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -1944,26 +2020,13 @@ spec:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -1974,137 +2037,20 @@ spec:
required:
- auth
type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
- type: string
- secretsScope:
- description: SecretsScope defines the scope of the secrets within the workspace
- properties:
- environmentSlug:
- description: EnvironmentSlug is the required slug identifier for the environment.
- type: string
- expandSecretReferences:
- default: true
- description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
- type: boolean
- projectSlug:
- description: ProjectSlug is the required slug identifier for the project.
- type: string
- recursive:
- default: false
- description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
- type: boolean
- secretsPath:
- default: /
- description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
keepersecurity:
description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
properties:
authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
folderID:
@@ -2125,59 +2071,29 @@ spec:
description: has both clientCert and clientKey as secretKeySelector
properties:
clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -2185,26 +2101,15 @@ spec:
description: points to a service account that should be used for authentication
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -2213,67 +2118,23 @@ spec:
description: use static token to authenticate with
properties:
bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
remoteNamespace:
default: default
description: Remote namespace to fetch the secrets from
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
server:
description: configures the Kubernetes server Address.
@@ -2287,23 +2148,12 @@ spec:
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -2320,88 +2170,8 @@ spec:
description: configures the Kubernetes server Address.
type: string
type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
required:
- - apiHost
- auth
- - environment
- - project
type: object
onepassword:
description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
@@ -2416,26 +2186,13 @@ spec:
description: The ConnectToken is used for authentication to a 1Password Connect Server.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -2461,9 +2218,7 @@ spec:
description: Oracle configures this store to sync secrets using Oracle Vault provider
properties:
auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
+ description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
properties:
secretRef:
description: SecretRef to pass through sensitive information.
@@ -2472,52 +2227,26 @@ spec:
description: Fingerprint is the fingerprint of the API private key.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
privatekey:
description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -2536,20 +2265,13 @@ spec:
- user
type: object
compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
+ description: Compartment is the vault compartment OCID. Required for PushSecret
type: string
encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
+ description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
type: string
principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
+ description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
enum:
- ""
- UserPrincipal
@@ -2560,31 +2282,18 @@ spec:
description: Region is the region where vault is located.
type: string
serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -2596,229 +2305,6 @@ spec:
- region
- vault
type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- previder:
- description: Previder configures this store to sync secrets using the Previder provider
- properties:
- auth:
- description: PreviderAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
- properties:
- accessToken:
- description: The AccessToken is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessToken
- type: object
- type: object
- baseUri:
- type: string
- required:
- - auth
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/esc
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- project:
- description: Project is the name of the Pulumi ESC project the environment belongs to.
- type: string
- required:
- - accessToken
- - environment
- - organization
- - project
- type: object
scaleway:
description: Scaleway
properties:
@@ -2829,26 +2315,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -2871,26 +2344,13 @@ spec:
description: SecretRef references a key in a secret that will be used as value.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
value:
@@ -2903,87 +2363,6 @@ spec:
- region
- secretKey
type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
senhasegura:
description: Senhasegura configures this store to sync secrets using senhasegura provider
properties:
@@ -2993,31 +2372,16 @@ spec:
clientId:
type: string
clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -3046,79 +2410,39 @@ spec:
description: Auth configures how secret-manager authenticates with the Vault server.
properties:
appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
properties:
path:
default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
type: string
roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
type: string
roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
+ description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -3126,71 +2450,37 @@ spec:
- secretRef
type: object
cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
properties:
clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
+ description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
properties:
externalID:
description: AWS External ID set on assumed IAM roles
@@ -3202,26 +2492,15 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -3243,81 +2522,39 @@ spec:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -3331,57 +2568,33 @@ spec:
- vaultRole
type: object
jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
properties:
kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
properties:
audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
+ description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
items:
type: string
type: array
expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
+ description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
format: int64
type: integer
serviceAccountRef:
description: Service account field containing the name of a kubernetes ServiceAccount.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -3391,120 +2604,63 @@ spec:
type: object
path:
default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
type: string
role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
type: string
secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
- path
type: object
kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
properties:
mountPath:
default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
type: string
role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
type: string
secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -3514,130 +2670,67 @@ spec:
- role
type: object
ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
properties:
path:
default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
type: string
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
type: string
required:
- path
- username
type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
tokenSecretRef:
description: TokenSecretRef authenticates with Vault by presenting a token.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
userPass:
description: UserPass authenticates with Vault by passing username/password pair
properties:
path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
+ default: user
+ description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
type: string
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
+ description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
+ description: Username is a user name used to authenticate using the UserPass Vault authentication method
type: string
required:
- path
@@ -3645,11 +2738,7 @@ spec:
type: object
type: object
caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
@@ -3657,23 +2746,12 @@ spec:
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -3686,222 +2764,52 @@ spec:
- type
type: object
forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
type: string
path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
type: string
readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
type: boolean
server:
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
version:
default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
enum:
- v1
- v2
type: string
required:
+ - auth
- server
type: object
webhook:
description: Webhook configures this store to sync secrets using a generic templated webhook
properties:
- auth:
- description: Auth specifies a authorization protocol. Only one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
body:
description: Body
type: string
caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
description: The provider for the CA bundle to use to validate webhook server certificate.
properties:
key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key the value inside of the provider type to use, only used with "Secret" type
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -3929,9 +2837,7 @@ spec:
type: string
type: object
secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
+ description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
items:
properties:
name:
@@ -3941,26 +2847,13 @@ spec:
description: Secret ref to fill in credentials
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -3991,26 +2884,13 @@ spec:
description: The authorized key used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4018,31 +2898,16 @@ spec:
description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
properties:
certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4062,26 +2927,13 @@ spec:
description: The authorized key used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4089,31 +2941,16 @@ spec:
description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
properties:
certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -4167,4145 +3004,16 @@ spec:
storage: true
subresources:
status: {}
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS Secret Manager provider
- properties:
- additionalRoles:
- description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
- items:
- type: string
- type: array
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the provider will assume
- type: string
- secretsManager:
- description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
- properties:
- forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
- type: boolean
- recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
- format: int64
- type: integer
- type: object
- service:
- description: Service defines which service should be used to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- sessionTags:
- description: AWS STS assume role session tags
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- transitiveTagKeys:
- description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
- items:
- type: string
- type: array
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched from.
- type: string
- required:
- - vaultUrl
- type: object
- beyondtrust:
- description: Beyondtrust configures this store to sync secrets using Password Safe provider.
- properties:
- auth:
- description: Auth configures how the operator authenticates with Beyondtrust.
- properties:
- apiKey:
- description: APIKey If not provided then ClientID/ClientSecret become required.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificate:
- description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientId:
- description: ClientID is the API OAuth Client ID.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the API OAuth Client Secret.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- type: object
- server:
- description: Auth configures how API server works.
- properties:
- apiUrl:
- type: string
- apiVersion:
- type: string
- clientTimeOutSeconds:
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
- type: integer
- retrievalType:
- description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
- type: string
- separator:
- description: A character that separates the folder names.
- type: string
- verifyCA:
- type: boolean
- required:
- - apiUrl
- - verifyCA
- type: object
- required:
- - auth
- - server
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- cloudrusm:
- description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
- properties:
- auth:
- description: CSMAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- projectID:
- description: ProjectID is the project, which the secrets are stored in.
- type: string
- required:
- - auth
- type: object
- conjur:
- description: Conjur configures this store to sync secrets using conjur provider
- properties:
- auth:
- description: Defines authentication settings for connecting to Conjur.
- properties:
- apikey:
- description: Authenticates with Conjur using an API key.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- apiKeyRef:
- description: |-
- A reference to a specific 'key' containing the Conjur API key
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userRef:
- description: |-
- A reference to a specific 'key' containing the Conjur username
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - account
- - apiKeyRef
- - userRef
- type: object
- jwt:
- description: Jwt enables JWT authentication using Kubernetes service account tokens.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- serviceID:
- description: The conjur authn jwt webservice id
- type: string
- required:
- - account
- - serviceID
- type: object
- type: object
- caBundle:
- description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
- type: string
- caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- description: URL is the endpoint of the Conjur instance.
- type: string
- required:
- - auth
- - url
- type: object
- delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
- properties:
- clientId:
- description: ClientID is the non-secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- tenant:
- description: Tenant is the chosen hostname / site name.
- type: string
- tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
- type: string
- urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
- type: string
- required:
- - clientId
- - clientSecret
- - tenant
- type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Doppler API
- properties:
- secretRef:
- properties:
- dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - dopplerToken
- type: object
- required:
- - secretRef
- type: object
- config:
- description: Doppler config (required if not using a Service Token)
- type: string
- format:
- description: Format enables the downloading of secrets as a file (string)
- enum:
- - json
- - dotnet-json
- - env
- - yaml
- - docker
- type: string
- nameTransformer:
- description: Environment variable compatible name transforms that change secret names to a different format
- enum:
- - upper-camel
- - camel
- - lower-snake
- - tf-var
- - dotnet-env
- - lower-kebab
- type: string
- project:
- description: Doppler project (required if not using a Service Token)
- type: string
- required:
- - auth
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- version:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- required:
- - data
- type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- description: |-
- ClusterLocation is the location of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterName:
- description: |-
- ClusterName is the name of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterProjectID:
- description: |-
- ClusterProjectID is the project ID of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- github:
- description: Github configures this store to push Github Action secrets using Github API provider
- properties:
- appID:
- description: appID specifies the Github APP that will be used to authenticate the client
- format: int64
- type: integer
- auth:
- description: auth configures how secret-manager authenticates with a Github instance.
- properties:
- privateKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKey
- type: object
- environment:
- description: environment will be used to fetch secrets from a particular environment within a github repository
- type: string
- installationID:
- description: installationID specifies the Github APP installation that will be used to authenticate the client
- format: int64
- type: integer
- organization:
- description: organization will be used to fetch secrets from the Github organization
- type: string
- repository:
- description: repository will be used to fetch secrets from the Github repository within an organization
- type: string
- uploadURL:
- description: Upload URL for enterprise instances. Default to URL.
- type: string
- url:
- default: https://github.com/
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installationID
- - organization
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- environment:
- description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
- type: string
- groupIDs:
- description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
- items:
- type: string
- type: array
- inheritFromGroups:
- description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
- type: boolean
- projectID:
- description: ProjectID specifies a project where secrets are located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the IBM secrets manager.
- maxProperties: 1
- minProperties: 1
- properties:
- containerAuth:
- description: IBM Container-based auth with IAM Trusted Profile.
- properties:
- iamEndpoint:
- type: string
- profile:
- description: the IBM Trusted Profile
- type: string
- tokenLocation:
- description: Location the token is mounted on the pod
- type: string
- required:
- - profile
- type: object
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
- type: string
- secretsScope:
- description: SecretsScope defines the scope of the secrets within the workspace
- properties:
- environmentSlug:
- description: EnvironmentSlug is the required slug identifier for the environment.
- type: string
- expandSecretReferences:
- default: true
- description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
- type: boolean
- projectSlug:
- description: ProjectSlug is the required slug identifier for the project.
- type: string
- recursive:
- default: false
- description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
- type: boolean
- secretsPath:
- default: /
- description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
- keepersecurity:
- description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
- properties:
- authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- folderID:
- type: string
- required:
- - authRef
- - folderID
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be used for authentication
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
- required:
- - apiHost
- - auth
- - environment
- - project
- type: object
- onepassword:
- description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against OnePassword Connect Server
- properties:
- secretRef:
- description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
- properties:
- connectTokenSecretRef:
- description: The ConnectToken is used for authentication to a 1Password Connect Server.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - connectTokenSecretRef
- type: object
- required:
- - secretRef
- type: object
- connectHost:
- description: ConnectHost defines the OnePassword Connect Server to connect to
- type: string
- vaults:
- additionalProperties:
- type: integer
- description: Vaults defines which OnePassword vaults to search in which order
- type: object
- required:
- - auth
- - connectHost
- - vaults
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the API private key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- previder:
- description: Previder configures this store to sync secrets using the Previder provider
- properties:
- auth:
- description: PreviderAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
- properties:
- accessToken:
- description: The AccessToken is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessToken
- type: object
- type: object
- baseUri:
- type: string
- required:
- - auth
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/esc
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- project:
- description: Project is the name of the Pulumi ESC project the environment belongs to.
- type: string
- required:
- - accessToken
- - environment
- - organization
- - project
- type: object
- scaleway:
- description: Scaleway
- properties:
- accessKey:
- description: AccessKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- apiUrl:
- description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
- type: string
- projectId:
- description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
- type: string
- region:
- description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
- type: string
- secretKey:
- description: SecretKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - accessKey
- - projectId
- - region
- - secretKey
- type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
- senhasegura:
- description: Senhasegura configures this store to sync secrets using senhasegura provider
- properties:
- auth:
- description: Auth defines parameters to authenticate in senhasegura
- properties:
- clientId:
- type: string
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecretSecretRef
- type: object
- ignoreSslCertificate:
- default: false
- description: IgnoreSslCertificate defines if SSL certificate must be ignored
- type: boolean
- module:
- description: Module defines which senhasegura module should be used to get secrets
- type: string
- url:
- description: URL of senhasegura
- type: string
- required:
- - auth
- - module
- - url
- type: object
- vault:
- description: Vault configures this store to sync secrets using Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing username/password pair
- properties:
- path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using a generic templated webhook
- properties:
- auth:
- description: Auth specifies a authorization protocol. Only one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexcertificatemanager:
- description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- refreshInterval:
- description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
- type: integer
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- capabilities:
- description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/stssessiontoken.yaml b/charts/external-secrets/templates/crds/stssessiontoken.yaml
deleted file mode 100644
index b9a971f..0000000
--- a/charts/external-secrets/templates/crds/stssessiontoken.yaml
+++ /dev/null
@@ -1,216 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: stssessiontokens.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: STSSessionToken
- listKind: STSSessionTokenList
- plural: stssessiontokens
- singular: stssessiontoken
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
- The authorization token is valid for 12 hours.
- The authorizationToken returned is a base64 encoded string that can be decoded.
- For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- auth:
- description: Auth defines how to authenticate with AWS
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- region:
- description: Region specifies the region to operate in.
- type: string
- requestParameters:
- description: RequestParameters contains parameters that can be passed to the STS service.
- properties:
- serialNumber:
- description: |-
- SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
- the GetSessionToken call.
- Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
- (such as arn:aws:iam::123456789012:mfa/user)
- type: string
- sessionDuration:
- description: |-
- SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
- IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
- (12 hours) as the default.
- format: int64
- type: integer
- tokenCode:
- description: TokenCode is the value provided by the MFA device, if MFA is required.
- type: string
- type: object
- role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- required:
- - region
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/uuid.yaml b/charts/external-secrets/templates/crds/uuid.yaml
deleted file mode 100644
index ff92338..0000000
--- a/charts/external-secrets/templates/crds/uuid.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: uuids.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: UUID
- listKind: UUIDList
- plural: uuids
- singular: uuid
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: UUIDSpec controls the behavior of the uuid generator.
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml b/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
index 0fb81e2..123558f 100644
--- a/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
+++ b/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
@@ -9,19 +9,18 @@ metadata:
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
+ controller-gen.kubebuilder.io/version: v0.13.0
name: vaultdynamicsecrets.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- - external-secrets
- - external-secrets-generators
+ - vaultdynamicsecret
kind: VaultDynamicSecret
listKind: VaultDynamicSecretList
plural: vaultdynamicsecrets
+ shortNames:
+ - vaultdynamicsecret
singular: vaultdynamicsecret
scope: Namespaced
versions:
@@ -30,32 +29,17 @@ spec:
openAPIV3Schema:
properties:
apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
- allowEmptyResponse:
- default: false
- description: Do not fail if no secrets are found. Useful for requests where no data is expected.
- type: boolean
controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters VDS based on this property
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
type: string
method:
description: Vault API method to use (GET/POST/other)
@@ -73,79 +57,39 @@ spec:
description: Auth configures how secret-manager authenticates with the Vault server.
properties:
appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
properties:
path:
default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
type: string
roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
type: string
roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
+ description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
@@ -153,71 +97,37 @@ spec:
- secretRef
type: object
cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
properties:
clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
+ description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
properties:
externalID:
description: AWS External ID set on assumed IAM roles
@@ -229,26 +139,15 @@ spec:
description: A reference to a ServiceAccount resource.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -270,81 +169,39 @@ spec:
description: The AccessKeyID is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
type: object
@@ -358,57 +215,33 @@ spec:
- vaultRole
type: object
jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
properties:
kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
properties:
audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
+ description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
items:
type: string
type: array
expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
+ description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
format: int64
type: integer
serviceAccountRef:
description: Service account field containing the name of a kubernetes ServiceAccount.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -418,120 +251,63 @@ spec:
type: object
path:
default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
type: string
role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
type: string
secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
required:
- path
type: object
kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
properties:
mountPath:
default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
type: string
role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
type: string
secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
properties:
audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
required:
- name
@@ -541,130 +317,67 @@ spec:
- role
type: object
ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
properties:
path:
default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
type: string
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
type: string
required:
- path
- username
type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
tokenSecretRef:
description: TokenSecretRef authenticates with Vault by presenting a token.
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
userPass:
description: UserPass authenticates with Vault by passing username/password pair
properties:
path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
+ default: user
+ description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
type: string
secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
+ description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
properties:
key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
type: string
type: object
username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
+ description: Username is a user name used to authenticate using the UserPass Vault authentication method
type: string
required:
- path
@@ -672,11 +385,7 @@ spec:
type: object
type: object
caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
caProvider:
@@ -684,23 +393,12 @@ spec:
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
@@ -713,142 +411,38 @@ spec:
- type
type: object
forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
type: string
path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
type: string
readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
type: boolean
server:
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
version:
default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
enum:
- v1
- v2
type: string
required:
+ - auth
- server
type: object
resultType:
default: Data
- description: |-
- Result type defines which data is returned from the generator.
- By default it is the "data" section of the Vault API response.
- When using e.g. /auth/token/create the "data" section is empty but
- the "auth" section contains the generated token.
- Please refer to the vault docs regarding the result data structure.
- Additionally, accessing the raw response is possibly by using "Raw" result type.
+ description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
enum:
- Data
- Auth
- - Raw
type: string
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
required:
- path
- provider
@@ -858,4 +452,16 @@ spec:
storage: true
subresources:
status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
{{- end }}
diff --git a/charts/external-secrets/templates/crds/webhook.yaml b/charts/external-secrets/templates/crds/webhook.yaml
deleted file mode 100644
index 68928d7..0000000
--- a/charts/external-secrets/templates/crds/webhook.yaml
+++ /dev/null
@@ -1,228 +0,0 @@
-{{- if .Values.installCRDs }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- {{- with .Values.crds.annotations }}
- {{- toYaml . | nindent 4}}
- {{- end }}
- {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: webhooks.generators.external-secrets.io
-spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: Webhook
- listKind: WebhookList
- plural: webhooks
- singular: webhook
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- Webhook connects to a third party API server to handle the secrets generation
- configuration parameters in spec.
- You can specify the server, the token, and additional body parameters.
- See documentation for the full API specification for requests and responses.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
- properties:
- auth:
- description: Auth specifies a authorization protocol. Only one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-{{- end }}
diff --git a/charts/external-secrets/templates/deployment.yaml b/charts/external-secrets/templates/deployment.yaml
index 9685587..00ea999 100644
--- a/charts/external-secrets/templates/deployment.yaml
+++ b/charts/external-secrets/templates/deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
@@ -35,23 +35,19 @@ spec:
serviceAccountName: {{ include "external-secrets.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- with .Values.podSecurityContext }}
- {{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
- {{- end }}
+ {{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
- {{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
{{- end }}
- {{- end }}
- image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
- {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.processClusterPushSecret) (.Values.concurrent) (.Values.extraArgs) }}
+ {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }}
args:
{{- if .Values.leaderElect }}
- --enable-leader-election=true
@@ -62,7 +58,6 @@ spec:
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
- --enable-cluster-store-reconciler=false
- --enable-cluster-external-secret-reconciler=false
- - --enable-cluster-push-secret-reconciler=false
{{- else }}
{{- if not .Values.processClusterStore }}
- --enable-cluster-store-reconciler=false
@@ -70,9 +65,6 @@ spec:
{{- if not .Values.processClusterExternalSecret }}
- --enable-cluster-external-secret-reconciler=false
{{- end }}
- {{- if not .Values.processClusterPushSecret }}
- - --enable-cluster-push-secret-reconciler=false
- {{- end }}
{{- end }}
{{- if not .Values.processPushSecret }}
- --enable-push-secret-reconciler=false
@@ -95,8 +87,6 @@ spec:
{{- end }}
{{- end }}
- --metrics-addr=:{{ .Values.metrics.listen.port }}
- - --loglevel={{ .Values.log.level }}
- - --zap-time-encoding={{ .Values.log.timeEncoding }}
ports:
- containerPort: {{ .Values.metrics.listen.port }}
protocol: TCP
@@ -114,9 +104,8 @@ spec:
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.extraContainers }}
- {{ toYaml .Values.extraContainers | nindent 8 }}
+ {{ toYaml .Values.extraContainers | nindent 8}}
{{- end }}
- dnsPolicy: {{ .Values.dnsPolicy }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{- toYaml .Values.dnsConfig | nindent 8 }}
@@ -125,19 +114,19 @@ spec:
volumes:
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
- {{- with .Values.nodeSelector | default .Values.global.nodeSelector }}
+ {{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.affinity | default .Values.global.affinity }}
+ {{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.tolerations | default .Values.global.tolerations }}
+ {{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+ {{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
diff --git a/charts/external-secrets/templates/extra-manifests.yaml b/charts/external-secrets/templates/extra-manifests.yaml
deleted file mode 100644
index 1dfe8f4..0000000
--- a/charts/external-secrets/templates/extra-manifests.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-{{- range .Values.extraObjects }}
----
-{{ include "external-secrets.render" (dict "value" . "context" $) }}
-{{- end }}
diff --git a/charts/external-secrets/templates/grafana-dashboard.yaml b/charts/external-secrets/templates/grafana-dashboard.yaml
deleted file mode 100644
index 4b96dce..0000000
--- a/charts/external-secrets/templates/grafana-dashboard.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Values.grafanaDashboard.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "external-secrets.fullname" . }}-dashboard
- namespace: {{ include "external-secrets.namespace" . }}
- labels:
- {{ .Values.grafanaDashboard.sidecarLabel }}: {{ .Values.grafanaDashboard.sidecarLabelValue | quote }}
- {{- include "external-secrets.labels" . | nindent 4 }}
- {{- with .Values.grafanaDashboard.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-data:
- external-secrets.json: {{ .Files.Get "files/monitoring/grafana-dashboard.json" | toJson }}
-{{- end }}
diff --git a/charts/external-secrets/templates/poddisruptionbudget.yaml b/charts/external-secrets/templates/poddisruptionbudget.yaml
index 7b75ca3..abe51d3 100644
--- a/charts/external-secrets/templates/poddisruptionbudget.yaml
+++ b/charts/external-secrets/templates/poddisruptionbudget.yaml
@@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-pdb
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
spec:
@@ -16,4 +16,4 @@ spec:
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/external-secrets/templates/rbac.yaml b/charts/external-secrets/templates/rbac.yaml
index a1b40f5..da5d648 100644
--- a/charts/external-secrets/templates/rbac.yaml
+++ b/charts/external-secrets/templates/rbac.yaml
@@ -17,19 +17,10 @@ rules:
- "external-secrets.io"
resources:
- "secretstores"
- {{- if .Values.processClusterStore }}
- "clustersecretstores"
- {{- end }}
- "externalsecrets"
- {{- if .Values.processClusterExternalSecret }}
- "clusterexternalsecrets"
- {{- end }}
- {{- if .Values.processPushSecret }}
- "pushsecrets"
- {{- end }}
- {{- if .Values.processClusterPushSecret }}
- - "clusterpushsecrets"
- {{- end }}
verbs:
- "get"
- "list"
@@ -39,75 +30,31 @@ rules:
resources:
- "externalsecrets"
- "externalsecrets/status"
- {{- if .Values.openshiftFinalizers }}
- "externalsecrets/finalizers"
- {{- end }}
- "secretstores"
- "secretstores/status"
- {{- if .Values.openshiftFinalizers }}
- "secretstores/finalizers"
- {{- end }}
- {{- if .Values.processClusterStore }}
- "clustersecretstores"
- "clustersecretstores/status"
- {{- if .Values.openshiftFinalizers }}
- "clustersecretstores/finalizers"
- {{- end }}
- {{- end }}
- {{- if .Values.processClusterExternalSecret }}
- "clusterexternalsecrets"
- "clusterexternalsecrets/status"
- {{- if .Values.openshiftFinalizers }}
- "clusterexternalsecrets/finalizers"
- {{- end }}
- {{- end }}
- {{- if .Values.processPushSecret }}
- "pushsecrets"
- "pushsecrets/status"
- {{- if .Values.openshiftFinalizers }}
- "pushsecrets/finalizers"
- {{- end }}
- {{- end }}
- {{- if .Values.processClusterPushSecret }}
- - "clusterpushsecrets"
- - "clusterpushsecrets/status"
- {{- if .Values.openshiftFinalizers }}
- - "clusterpushsecrets/finalizers"
- {{- end }}
- {{- end }}
verbs:
- - "get"
- "update"
- "patch"
- - apiGroups:
- - "generators.external-secrets.io"
- resources:
- - "generatorstates"
- verbs:
- - "get"
- - "list"
- - "watch"
- - "create"
- - "update"
- - "patch"
- - "delete"
- - "deletecollection"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- - "clustergenerators"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- - "githubaccesstokens"
- - "quayaccesstokens"
- "passwords"
- - "stssessiontokens"
- - "uuids"
- "vaultdynamicsecrets"
- - "webhooks"
- - "grafanas"
verbs:
- "get"
- "list"
@@ -162,16 +109,6 @@ rules:
- "create"
- "update"
- "delete"
- {{- if .Values.processPushSecret }}
- - apiGroups:
- - "external-secrets.io"
- resources:
- - "pushsecrets"
- verbs:
- - "create"
- - "update"
- - "delete"
- {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
@@ -186,12 +123,8 @@ metadata:
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
- {{- if .Values.rbac.aggregateToView }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
- {{- end }}
- {{- if .Values.rbac.aggregateToEdit }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
- {{- end }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
@@ -199,15 +132,8 @@ rules:
resources:
- "externalsecrets"
- "secretstores"
- {{- if .Values.processClusterStore }}
- "clustersecretstores"
- {{- end }}
- {{- if .Values.processPushSecret }}
- "pushsecrets"
- {{- end }}
- {{- if .Values.processClusterPushSecret }}
- - "clusterpushsecrets"
- {{- end }}
verbs:
- "get"
- "watch"
@@ -216,17 +142,11 @@ rules:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- - "clustergenerators"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- - "githubaccesstokens"
- - "quayaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- - "webhooks"
- - "grafanas"
- - "generatorstates"
verbs:
- "get"
- "watch"
@@ -245,9 +165,7 @@ metadata:
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
- {{- if .Values.rbac.aggregateToEdit }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
- {{- end }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
@@ -255,15 +173,8 @@ rules:
resources:
- "externalsecrets"
- "secretstores"
- {{- if .Values.processClusterStore }}
- "clustersecretstores"
- {{- end }}
- {{- if .Values.processPushSecret }}
- "pushsecrets"
- {{- end }}
- {{- if .Values.processClusterPushSecret }}
- - "clusterpushsecrets"
- {{- end }}
verbs:
- "create"
- "delete"
@@ -274,17 +185,11 @@ rules:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- - "clustergenerators"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- - "githubaccesstokens"
- - "quayaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- - "webhooks"
- - "grafanas"
- - "generatorstates"
verbs:
- "create"
- "delete"
@@ -315,14 +220,14 @@ roleRef:
name: {{ include "external-secrets.fullname" . }}-controller
subjects:
- name: {{ include "external-secrets.serviceAccountName" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "external-secrets.fullname" . }}-leaderelection
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rules:
@@ -356,7 +261,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "external-secrets.fullname" . }}-leaderelection
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
@@ -366,7 +271,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "external-secrets.serviceAccountName" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
{{- if .Values.rbac.servicebindings.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
@@ -381,9 +286,6 @@ rules:
- "external-secrets.io"
resources:
- "externalsecrets"
- {{- if .Values.processPushSecret }}
- - "pushsecrets"
- {{- end }}
verbs:
- "get"
- "list"
diff --git a/charts/external-secrets/templates/service.yaml b/charts/external-secrets/templates/service.yaml
index d292258..bf56fde 100644
--- a/charts/external-secrets/templates/service.yaml
+++ b/charts/external-secrets/templates/service.yaml
@@ -1,9 +1,9 @@
-{{- if or (and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled) .Values.metrics.service.enabled -}}
+{{- if .Values.metrics.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-metrics
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.metrics.service.annotations }}
@@ -12,12 +12,6 @@ metadata:
{{- end }}
spec:
type: ClusterIP
- {{- if .Values.service.ipFamilyPolicy }}
- ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
- {{- end }}
- {{- if .Values.service.ipFamilies }}
- ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
- {{- end }}
ports:
- port: {{ .Values.metrics.service.port }}
protocol: TCP
diff --git a/charts/external-secrets/templates/serviceaccount.yaml b/charts/external-secrets/templates/serviceaccount.yaml
index ceaa98e..fd61c70 100644
--- a/charts/external-secrets/templates/serviceaccount.yaml
+++ b/charts/external-secrets/templates/serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets.serviceAccountName" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.extraLabels }}
diff --git a/charts/external-secrets/templates/servicemonitor.yaml b/charts/external-secrets/templates/servicemonitor.yaml
index c2f2cce..63c9da0 100644
--- a/charts/external-secrets/templates/servicemonitor.yaml
+++ b/charts/external-secrets/templates/servicemonitor.yaml
@@ -1,4 +1,20 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-metrics
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+spec:
+ type: ClusterIP
+ ports:
+ - port: {{ .Values.metrics.service.port }}
+ protocol: TCP
+ name: metrics
+ selector:
+ {{- include "external-secrets.selectorLabels" . | nindent 4 }}
+---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
@@ -8,14 +24,14 @@ metadata:
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-metrics
- namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
+ namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- - {{ template "external-secrets.namespace" . }}
+ - {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
@@ -31,6 +47,22 @@ spec:
{{- end }}
---
{{- if .Values.webhook.create }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook-metrics
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- include "external-secrets-webhook-metrics.labels" . | nindent 4 }}
+spec:
+ type: ClusterIP
+ ports:
+ - port: {{ .Values.webhook.metrics.service.port }}
+ protocol: TCP
+ name: metrics
+ selector:
+ {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
+---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
@@ -40,14 +72,14 @@ metadata:
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-webhook-metrics
- namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
+ namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets-webhook-metrics.labels" . | nindent 6 }}
namespaceSelector:
matchNames:
- - {{ template "external-secrets.namespace" . }}
+ - {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
@@ -64,6 +96,22 @@ spec:
{{- end }}
---
{{- if .Values.certController.create }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- include "external-secrets-cert-controller-metrics.labels" . | nindent 4 }}
+spec:
+ type: ClusterIP
+ ports:
+ - port: {{ .Values.certController.metrics.listen.port }}
+ protocol: TCP
+ name: metrics
+ selector:
+ {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
@@ -73,14 +121,14 @@ metadata:
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
- namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
+ namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets-cert-controller-metrics.labels" . | nindent 6 }}
namespaceSelector:
matchNames:
- - {{ template "external-secrets.namespace" . }}
+ - {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
diff --git a/charts/external-secrets/templates/validatingwebhook.yaml b/charts/external-secrets/templates/validatingwebhook.yaml
index d1fede5..a365b36 100644
--- a/charts/external-secrets/templates/validatingwebhook.yaml
+++ b/charts/external-secrets/templates/validatingwebhook.yaml
@@ -4,30 +4,27 @@ kind: ValidatingWebhookConfiguration
metadata:
name: secretstore-validate
labels:
- {{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
- {{- if or .Values.webhook.annotations (and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations) }}
+ {{- with .Values.commonLabels }}
+ {{ toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
annotations:
- {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- {{- if .Values.webhook.annotations }}
- {{- toYaml .Values.webhook.annotations | nindent 4 }}
- {{- end }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
webhooks:
- name: "validate.secretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
- apiVersions: ["v1"]
+ apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["secretstores"]
scope: "Namespaced"
clientConfig:
service:
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
name: {{ include "external-secrets.fullname" . }}-webhook
- path: /validate-external-secrets-io-v1-secretstore
+ path: /validate-external-secrets-io-v1beta1-secretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
@@ -35,15 +32,15 @@ webhooks:
- name: "validate.clustersecretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
- apiVersions: ["v1"]
+ apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["clustersecretstores"]
scope: "Cluster"
clientConfig:
service:
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
name: {{ include "external-secrets.fullname" . }}-webhook
- path: /validate-external-secrets-io-v1-clustersecretstore
+ path: /validate-external-secrets-io-v1beta1-clustersecretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
@@ -53,30 +50,27 @@ kind: ValidatingWebhookConfiguration
metadata:
name: externalsecret-validate
labels:
- {{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
- {{- if or .Values.webhook.annotations (and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations) }}
+ {{- with .Values.commonLabels }}
+ {{ toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
annotations:
- {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
- cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
- {{- end }}
- {{- if .Values.webhook.annotations }}
- {{- toYaml .Values.webhook.annotations | nindent 4 }}
- {{- end }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
webhooks:
- name: "validate.externalsecret.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
- apiVersions: ["v1"]
+ apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["externalsecrets"]
scope: "Namespaced"
clientConfig:
service:
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
name: {{ include "external-secrets.fullname" . }}-webhook
- path: /validate-external-secrets-io-v1-externalsecret
+ path: /validate-external-secrets-io-v1beta1-externalsecret
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
diff --git a/charts/external-secrets/templates/webhook-certificate.yaml b/charts/external-secrets/templates/webhook-certificate.yaml
index 96b4bfe..d8aff1a 100644
--- a/charts/external-secrets/templates/webhook-certificate.yaml
+++ b/charts/external-secrets/templates/webhook-certificate.yaml
@@ -4,7 +4,7 @@ apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
@@ -16,8 +16,8 @@ spec:
commonName: {{ include "external-secrets.fullname" . }}-webhook
dnsNames:
- {{ include "external-secrets.fullname" . }}-webhook
- - {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}
- - {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc
+ - {{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}
+ - {{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
issuerRef:
{{- toYaml .Values.webhook.certManager.cert.issuerRef | nindent 4 }}
{{- with .Values.webhook.certManager.cert.duration }}
@@ -26,8 +26,5 @@ spec:
{{- with .Values.webhook.certManager.cert.renewBefore }}
renewBefore: {{ . | quote }}
{{- end }}
- {{- if gt (.Values.webhook.certManager.cert.revisionHistoryLimit | int) 0 }}
- revisionHistoryLimit: {{ .Values.webhook.certManager.cert.revisionHistoryLimit }}
- {{- end }}
secretName: {{ include "external-secrets.fullname" . }}-webhook
{{- end }}
diff --git a/charts/external-secrets/templates/webhook-deployment.yaml b/charts/external-secrets/templates/webhook-deployment.yaml
index 7419a42..5ab8fe9 100644
--- a/charts/external-secrets/templates/webhook-deployment.yaml
+++ b/charts/external-secrets/templates/webhook-deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.deploymentAnnotations }}
@@ -36,31 +36,25 @@ spec:
serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }}
{{- with .Values.webhook.podSecurityContext }}
- {{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
- {{- end }}
+ {{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: webhook
{{- with .Values.webhook.securityContext }}
- {{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
- {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
{{- end }}
- {{- end }}
- image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }}
+ image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
args:
- webhook
- --port={{ .Values.webhook.port }}
- - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc
+ - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
- --cert-dir={{ .Values.webhook.certDir }}
- --check-interval={{ .Values.webhook.certCheckInterval }}
- --metrics-addr=:{{ .Values.webhook.metrics.listen.port }}
- --healthz-addr={{ .Values.webhook.readinessProbe.address }}:{{ .Values.webhook.readinessProbe.port }}
- - --loglevel={{ .Values.webhook.log.level }}
- - --zap-time-encoding={{ .Values.webhook.log.timeEncoding }}
{{- if .Values.webhook.lookaheadInterval }}
- --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
{{- end }}
@@ -106,19 +100,19 @@ spec:
{{- if .Values.webhook.extraVolumes }}
{{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
{{- end }}
- {{- with .Values.webhook.nodeSelector | default .Values.global.nodeSelector }}
+ {{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.webhook.affinity | default .Values.global.affinity }}
+ {{- with .Values.webhook.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.webhook.tolerations | default .Values.global.tolerations }}
+ {{- with .Values.webhook.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- with .Values.webhook.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+ {{- with .Values.webhook.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
diff --git a/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml b/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml
index 58345ba..665de97 100644
--- a/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml
+++ b/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml
@@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook-pdb
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
@@ -17,4 +17,4 @@ spec:
selector:
matchLabels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/external-secrets/templates/webhook-secret.yaml b/charts/external-secrets/templates/webhook-secret.yaml
index fa7760e..667a7b9 100644
--- a/charts/external-secrets/templates/webhook-secret.yaml
+++ b/charts/external-secrets/templates/webhook-secret.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
diff --git a/charts/external-secrets/templates/webhook-service.yaml b/charts/external-secrets/templates/webhook-service.yaml
index 14b99a3..ec2001d 100644
--- a/charts/external-secrets/templates/webhook-service.yaml
+++ b/charts/external-secrets/templates/webhook-service.yaml
@@ -1,30 +1,26 @@
-{{- if and .Values.webhook.create .Values.webhook.service.enabled }}
+{{- if .Values.webhook.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
- {{- include "external-secrets-webhook.annotations" . | nindent 2 }}
+ {{- if .Values.webhook.metrics.service.enabled }}
+ {{- with .Values.webhook.metrics.service.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
spec:
- type: {{ .Values.webhook.service.type }}
- {{- if .Values.service.ipFamilyPolicy }}
- ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
- {{- end }}
- {{- if .Values.service.ipFamilies }}
- ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
- {{- end }}
- {{- with .Values.webhook.service.loadBalancerIP }}
- loadBalancerIP: {{ . }}
- {{- end }}
+ type: ClusterIP
ports:
- port: 443
targetPort: {{ .Values.webhook.port }}
protocol: TCP
name: webhook
- {{- if or .Values.webhook.metrics.service.enabled ( and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled ) }}
+ {{- if .Values.webhook.metrics.service.enabled }}
- port: {{ .Values.webhook.metrics.service.port }}
protocol: TCP
targetPort: metrics
diff --git a/charts/external-secrets/templates/webhook-serviceaccount.yaml b/charts/external-secrets/templates/webhook-serviceaccount.yaml
index 1936218..1c4a14b 100644
--- a/charts/external-secrets/templates/webhook-serviceaccount.yaml
+++ b/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets-webhook.serviceAccountName" . }}
- namespace: {{ template "external-secrets.namespace" . }}
+ namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.serviceAccount.extraLabels }}
diff --git a/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap
new file mode 100644
index 0000000..24b24dc
--- /dev/null
+++ b/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap
@@ -0,0 +1,65 @@
+should match snapshot of default values:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets-cert-controller
+ app.kubernetes.io/version: v0.9.11
+ helm.sh/chart: external-secrets-0.9.11
+ name: RELEASE-NAME-external-secrets-cert-controller
+ namespace: NAMESPACE
+ spec:
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: external-secrets-cert-controller
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets-cert-controller
+ app.kubernetes.io/version: v0.9.11
+ helm.sh/chart: external-secrets-0.9.11
+ spec:
+ automountServiceAccountToken: true
+ containers:
+ - args:
+ - certcontroller
+ - --crd-requeue-interval=5m
+ - --service-name=RELEASE-NAME-external-secrets-webhook
+ - --service-namespace=NAMESPACE
+ - --secret-name=RELEASE-NAME-external-secrets-webhook
+ - --secret-namespace=NAMESPACE
+ - --metrics-addr=:8080
+ - --healthz-addr=:8081
+ image: ghcr.io/external-secrets/external-secrets:v0.9.11
+ imagePullPolicy: IfNotPresent
+ name: cert-controller
+ ports:
+ - containerPort: 8080
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ hostNetwork: false
+ serviceAccountName: external-secrets-cert-controller
diff --git a/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap
new file mode 100644
index 0000000..123207b
--- /dev/null
+++ b/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap
@@ -0,0 +1,53 @@
+should match snapshot of default values:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets
+ app.kubernetes.io/version: v0.9.11
+ helm.sh/chart: external-secrets-0.9.11
+ name: RELEASE-NAME-external-secrets
+ namespace: NAMESPACE
+ spec:
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: external-secrets
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets
+ app.kubernetes.io/version: v0.9.11
+ helm.sh/chart: external-secrets-0.9.11
+ spec:
+ automountServiceAccountToken: true
+ containers:
+ - args:
+ - --concurrent=1
+ - --metrics-addr=:8080
+ image: ghcr.io/external-secrets/external-secrets:v0.9.11
+ imagePullPolicy: IfNotPresent
+ name: external-secrets
+ ports:
+ - containerPort: 8080
+ name: metrics
+ protocol: TCP
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ hostNetwork: false
+ serviceAccountName: RELEASE-NAME-external-secrets
diff --git a/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap
new file mode 100644
index 0000000..fa5b322
--- /dev/null
+++ b/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap
@@ -0,0 +1,3011 @@
+should match snapshot of default values:
+ 1: |
+ apiVersion: apiextensions.k8s.io/v1
+ kind: CustomResourceDefinition
+ metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.13.0
+ name: secretstores.external-secrets.io
+ spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ service:
+ name: RELEASE-NAME-external-secrets-webhook
+ namespace: NAMESPACE
+ path: /convert
+ conversionReviewVersions:
+ - v1
+ group: external-secrets.io
+ names:
+ categories:
+ - externalsecrets
+ kind: SecretStore
+ listKind: SecretStoreList
+ plural: secretstores
+ shortNames:
+ - ss
+ singular: secretstore
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ deprecated: true
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ controller:
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: Reference to a Secret that contains the details to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ auth:
+ description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the SecretManager provider will assume
+ type: string
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ properties:
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ serviceAccount:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ required:
+ - auth
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: Compartment is the vault compartment OCID. Required for PushSecret
+ type: string
+ encryptionKey:
+ description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
+ type: string
+ principalType:
+ description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+ type: string
+ roleId:
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ cert:
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+ properties:
+ clientCert:
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ jwt:
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+ type: string
+ role:
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+ type: string
+ secretRef:
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+ type: string
+ role:
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+ type: string
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caBundle:
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ namespace:
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+ type: string
+ path:
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+ type: string
+ readYourWrites:
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ version:
+ default: v2
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.capabilities
+ name: Capabilities
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ conditions:
+ description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ items:
+ description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
+ properties:
+ namespaceSelector:
+ description: Choose namespace using a labelSelector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Choose namespaces by name
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ controller:
+ description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: Reference to a Secret that contains the details to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ additionalRoles:
+ description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
+ items:
+ type: string
+ type: array
+ auth:
+ description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the provider will assume
+ type: string
+ secretsManager:
+ description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
+ properties:
+ forceDeleteWithoutRecovery:
+ description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
+ type: boolean
+ recoveryWindowInDays:
+ description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
+ format: int64
+ type: integer
+ type: object
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ sessionTags:
+ description: AWS STS assume role session tags
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ transitiveTagKeys:
+ description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
+ items:
+ type: string
+ type: array
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ environmentType:
+ default: PublicCloud
+ description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
+ enum:
+ - PublicCloud
+ - USGovernmentCloud
+ - ChinaCloud
+ - GermanCloud
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ conjur:
+ description: Conjur configures this store to sync secrets using conjur provider
+ properties:
+ auth:
+ properties:
+ apikey:
+ properties:
+ account:
+ type: string
+ apiKeyRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ userRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - account
+ - apiKeyRef
+ - userRef
+ type: object
+ jwt:
+ properties:
+ account:
+ type: string
+ secretRef:
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ serviceID:
+ description: The conjur authn jwt webservice id
+ type: string
+ required:
+ - account
+ - serviceID
+ type: object
+ type: object
+ caBundle:
+ type: string
+ caProvider:
+ description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ type: string
+ required:
+ - auth
+ - url
+ type: object
+ delinea:
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
+ doppler:
+ description: Doppler configures this store to sync secrets using the Doppler provider
+ properties:
+ auth:
+ description: Auth configures how the Operator authenticates with the Doppler API
+ properties:
+ secretRef:
+ properties:
+ dopplerToken:
+ description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - dopplerToken
+ type: object
+ required:
+ - secretRef
+ type: object
+ config:
+ description: Doppler config (required if not using a Service Token)
+ type: string
+ format:
+ description: Format enables the downloading of secrets as a file (string)
+ enum:
+ - json
+ - dotnet-json
+ - env
+ - yaml
+ - docker
+ type: string
+ nameTransformer:
+ description: Environment variable compatible name transforms that change secret names to a different format
+ enum:
+ - upper-camel
+ - camel
+ - lower-snake
+ - tf-var
+ - dotnet-env
+ - lower-kebab
+ type: string
+ project:
+ description: Doppler project (required if not using a Service Token)
+ type: string
+ required:
+ - auth
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ environment:
+ description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
+ type: string
+ groupIDs:
+ description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
+ items:
+ type: string
+ type: array
+ inheritFromGroups:
+ description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
+ type: boolean
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ containerAuth:
+ description: IBM Container-based auth with IAM Trusted Profile.
+ properties:
+ iamEndpoint:
+ type: string
+ profile:
+ description: the IBM Trusted Profile
+ type: string
+ tokenLocation:
+ description: Location the token is mounted on the pod
+ type: string
+ required:
+ - profile
+ type: object
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ keepersecurity:
+ description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
+ properties:
+ authRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ folderID:
+ type: string
+ required:
+ - authRef
+ - folderID
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ required:
+ - auth
+ type: object
+ onepassword:
+ description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against OnePassword Connect Server
+ properties:
+ secretRef:
+ description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
+ properties:
+ connectTokenSecretRef:
+ description: The ConnectToken is used for authentication to a 1Password Connect Server.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - connectTokenSecretRef
+ type: object
+ required:
+ - secretRef
+ type: object
+ connectHost:
+ description: ConnectHost defines the OnePassword Connect Server to connect to
+ type: string
+ vaults:
+ additionalProperties:
+ type: integer
+ description: Vaults defines which OnePassword vaults to search in which order
+ type: object
+ required:
+ - auth
+ - connectHost
+ - vaults
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: Compartment is the vault compartment OCID. Required for PushSecret
+ type: string
+ encryptionKey:
+ description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
+ type: string
+ principalType:
+ description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ scaleway:
+ description: Scaleway
+ properties:
+ accessKey:
+ description: AccessKey is the non-secret part of the api key.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ apiUrl:
+ description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
+ type: string
+ projectId:
+ description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
+ type: string
+ region:
+ description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
+ type: string
+ secretKey:
+ description: SecretKey is the non-secret part of the api key.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - accessKey
+ - projectId
+ - region
+ - secretKey
+ type: object
+ senhasegura:
+ description: Senhasegura configures this store to sync secrets using senhasegura provider
+ properties:
+ auth:
+ description: Auth defines parameters to authenticate in senhasegura
+ properties:
+ clientId:
+ type: string
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecretSecretRef
+ type: object
+ ignoreSslCertificate:
+ default: false
+ description: IgnoreSslCertificate defines if SSL certificate must be ignored
+ type: boolean
+ module:
+ description: Module defines which senhasegura module should be used to get secrets
+ type: string
+ url:
+ description: URL of senhasegura
+ type: string
+ required:
+ - auth
+ - module
+ - url
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+ type: string
+ roleId:
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+ type: string
+ roleRef:
+ description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - secretRef
+ type: object
+ cert:
+ description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+ properties:
+ clientCert:
+ description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ iam:
+ description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
+ properties:
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ jwt:
+ description: Specify a service account with IRSA enabled
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ path:
+ description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
+ type: string
+ region:
+ description: AWS region
+ type: string
+ role:
+ description: This is the AWS role to be assumed before talking to vault
+ type: string
+ secretRef:
+ description: Specify credentials in a Secret object
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ vaultAwsIamServerID:
+ description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
+ type: string
+ vaultRole:
+ description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
+ type: string
+ required:
+ - vaultRole
+ type: object
+ jwt:
+ description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+ type: string
+ role:
+ description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+ type: string
+ secretRef:
+ description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+ type: string
+ role:
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+ properties:
+ audiences:
+ description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+ type: string
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ userPass:
+ description: UserPass authenticates with Vault by passing username/password pair
+ properties:
+ path:
+ default: user
+ description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
+ type: string
+ secretRef:
+ description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: Username is a user name used to authenticate using the UserPass Vault authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ type: object
+ caBundle:
+ description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ namespace:
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+ type: string
+ path:
+ description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+ type: string
+ readYourWrites:
+ description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ version:
+ default: v2
+ description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexcertificatemanager:
+ description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ refreshInterval:
+ description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
+ type: integer
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ capabilities:
+ description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
+ type: string
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap b/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap
new file mode 100644
index 0000000..b5aa239
--- /dev/null
+++ b/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap
@@ -0,0 +1,88 @@
+should match snapshot of default values:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets-webhook
+ app.kubernetes.io/version: v0.9.11
+ helm.sh/chart: external-secrets-0.9.11
+ name: RELEASE-NAME-external-secrets-webhook
+ namespace: NAMESPACE
+ spec:
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: external-secrets-webhook
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets-webhook
+ app.kubernetes.io/version: v0.9.11
+ helm.sh/chart: external-secrets-0.9.11
+ spec:
+ automountServiceAccountToken: true
+ containers:
+ - args:
+ - webhook
+ - --port=10250
+ - --dns-name=RELEASE-NAME-external-secrets-webhook.NAMESPACE.svc
+ - --cert-dir=/tmp/certs
+ - --check-interval=5m
+ - --metrics-addr=:8080
+ - --healthz-addr=:8081
+ image: ghcr.io/external-secrets/external-secrets:v0.9.11
+ imagePullPolicy: IfNotPresent
+ name: webhook
+ ports:
+ - containerPort: 8080
+ name: metrics
+ protocol: TCP
+ - containerPort: 10250
+ name: webhook
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /tmp/certs
+ name: certs
+ readOnly: true
+ hostNetwork: false
+ serviceAccountName: external-secrets-webhook
+ volumes:
+ - name: certs
+ secret:
+ secretName: RELEASE-NAME-external-secrets-webhook
+ 2: |
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: external-secrets-webhook
+ app.kubernetes.io/version: v0.9.11
+ external-secrets.io/component: webhook
+ helm.sh/chart: external-secrets-0.9.11
+ name: RELEASE-NAME-external-secrets-webhook
+ namespace: NAMESPACE
diff --git a/charts/external-secrets/tests/cert_controller_test.yaml b/charts/external-secrets/tests/cert_controller_test.yaml
new file mode 100644
index 0000000..52cce7e
--- /dev/null
+++ b/charts/external-secrets/tests/cert_controller_test.yaml
@@ -0,0 +1,63 @@
+suite: test cert controller deployment
+templates:
+ - cert-controller-deployment.yaml
+tests:
+ - it: should match snapshot of default values
+ asserts:
+ - matchSnapshot: {}
+ - it: should set imagePullPolicy to Always
+ set:
+ certController.image.pullPolicy: Always
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].imagePullPolicy
+ value: Always
+ - it: should imagePullPolicy to be default value IfNotPresent
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].imagePullPolicy
+ value: IfNotPresent
+ - it: should override securityContext
+ set:
+ certController.podSecurityContext:
+ runAsUser: 2000
+ certController.securityContext:
+ runAsUser: 3000
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext
+ value:
+ runAsUser: 2000
+ - equal:
+ path: spec.template.spec.containers[0].securityContext
+ value:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 3000
+ seccompProfile:
+ type: RuntimeDefault
+ - it: should override hostNetwork
+ set:
+ certController.hostNetwork: true
+ asserts:
+ - equal:
+ path: spec.template.spec.hostNetwork
+ value: true
+ - it: should override readinessProbe port
+ set:
+ certController.readinessProbe.port: 8082
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].args[7]
+ value: "--healthz-addr=:8082"
+ - it: should override metrics port
+ set:
+ certController.metrics.listen.port: 8888
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].args[6]
+ value: "--metrics-addr=:8888"
diff --git a/charts/external-secrets/tests/controller_test.yaml b/charts/external-secrets/tests/controller_test.yaml
new file mode 100644
index 0000000..f74af18
--- /dev/null
+++ b/charts/external-secrets/tests/controller_test.yaml
@@ -0,0 +1,56 @@
+suite: test controller deployment
+templates:
+ - deployment.yaml
+tests:
+ - it: should match snapshot of default values
+ asserts:
+ - matchSnapshot: {}
+ - it: should set imagePullPolicy to Always
+ set:
+ image.pullPolicy: Always
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].imagePullPolicy
+ value: Always
+ - it: should imagePullPolicy to be default value IfNotPresent
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].imagePullPolicy
+ value: IfNotPresent
+ - it: should override securityContext
+ set:
+ podSecurityContext:
+ runAsUser: 2000
+ securityContext:
+ runAsUser: 3000
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext
+ value:
+ runAsUser: 2000
+ - equal:
+ path: spec.template.spec.containers[0].securityContext
+ value:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 3000
+ seccompProfile:
+ type: RuntimeDefault
+ - it: should override hostNetwork
+ set:
+ hostNetwork: true
+ asserts:
+ - equal:
+ path: spec.template.spec.hostNetwork
+ value: true
+ - it: should override metrics port
+ set:
+ metrics.listen.port: 8888
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].args[1]
+ value: "--metrics-addr=:8888"
diff --git a/charts/external-secrets/tests/crds_test.yaml b/charts/external-secrets/tests/crds_test.yaml
new file mode 100644
index 0000000..25a18c7
--- /dev/null
+++ b/charts/external-secrets/tests/crds_test.yaml
@@ -0,0 +1,27 @@
+suite: test crds
+templates:
+ - crds/secretstore.yaml
+tests:
+ - it: should match snapshot of default values
+ asserts:
+ - matchSnapshot: {}
+ - it: should disable conversion webhook
+ set:
+ crds.conversion.enabled: false
+ asserts:
+ - isNull:
+ path: spec.conversion
+
+ - it: should add annotations
+ set:
+ crds:
+ annotations:
+ foo: bar
+ baz: bang
+ asserts:
+ - equal:
+ path: metadata.annotations.foo
+ value: bar
+ - equal:
+ path: metadata.annotations.baz
+ value: bang
diff --git a/charts/external-secrets/tests/service_monitor_test.yaml b/charts/external-secrets/tests/service_monitor_test.yaml
new file mode 100644
index 0000000..327f9b0
--- /dev/null
+++ b/charts/external-secrets/tests/service_monitor_test.yaml
@@ -0,0 +1,34 @@
+suite: test service monitor
+templates:
+ - servicemonitor.yaml
+tests:
+ - it: should render service monitor when APIVersions is present and serviceMonitor is enabled
+ set:
+ serviceMonitor.enabled: true
+ capabilities:
+ apiVersions:
+ - "monitoring.coreos.com/v1"
+ asserts:
+ - hasDocuments:
+ count: 6
+ - it: should not render service monitor when APIVersions is not present but serviceMonitor is enabled
+ set:
+ serviceMonitor.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+ - it: should not render service monitor when APIVersions is present and serviceMonitor is disabled
+ set:
+ serviceMonitor.enabled: false
+ capabilities:
+ apiVersions:
+ - "monitoring.coreos.com/v1"
+ asserts:
+ - hasDocuments:
+ count: 0
+ - it: should not render service monitor when APIVersions is not present and serviceMonitor is disabled
+ set:
+ serviceMonitor.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
\ No newline at end of file
diff --git a/charts/external-secrets/tests/webhook_test.yaml b/charts/external-secrets/tests/webhook_test.yaml
new file mode 100644
index 0000000..b157e3b
--- /dev/null
+++ b/charts/external-secrets/tests/webhook_test.yaml
@@ -0,0 +1,172 @@
+suite: test webhook deployment
+templates:
+ - webhook-deployment.yaml
+ - webhook-secret.yaml
+ - webhook-certificate.yaml
+ - validatingwebhook.yaml
+ - crds/externalsecret.yaml
+tests:
+ - it: should match snapshot of default values
+ asserts:
+ - matchSnapshot: {}
+ templates:
+ - webhook-deployment.yaml
+ - webhook-secret.yaml
+ # webhook-certificate.yaml is not rendered by default
+ - it: should set imagePullPolicy to Always
+ set:
+ webhook.image.pullPolicy: Always
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].imagePullPolicy
+ value: Always
+ template: webhook-deployment.yaml
+ - it: should imagePullPolicy to be default value IfNotPresent
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].imagePullPolicy
+ value: IfNotPresent
+ template: webhook-deployment.yaml
+ - it: should override securityContext
+ set:
+ webhook.podSecurityContext:
+ runAsUser: 2000
+ webhook.securityContext:
+ runAsUser: 3000
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext
+ value:
+ runAsUser: 2000
+ - equal:
+ path: spec.template.spec.containers[0].securityContext
+ value:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 3000
+ seccompProfile:
+ type: RuntimeDefault
+ template: webhook-deployment.yaml
+ - it: should override hostNetwork
+ set:
+ webhook.hostNetwork: true
+ asserts:
+ - equal:
+ path: spec.template.spec.hostNetwork
+ value: true
+ template: webhook-deployment.yaml
+ - it: should create a certificate CRD
+ set:
+ webhook.certManager.enabled: true
+ webhook.certManager.cert.duration: "10d"
+ webhook.certManager.cert.renewBefore: "5d"
+ asserts:
+ - equal:
+ path: metadata.name
+ value: "RELEASE-NAME-external-secrets-webhook"
+ - equal:
+ path: spec.secretName
+ value: "RELEASE-NAME-external-secrets-webhook"
+ - equal:
+ path: spec.commonName
+ value: "RELEASE-NAME-external-secrets-webhook"
+ - equal:
+ path: spec.dnsNames[0]
+ value: "RELEASE-NAME-external-secrets-webhook"
+ - equal:
+ path: spec.issuerRef.group
+ value: "cert-manager.io"
+ - equal:
+ path: spec.issuerRef.kind
+ value: "Issuer"
+ - equal:
+ path: spec.issuerRef.name
+ value: "my-issuer"
+ - equal:
+ path: spec.duration
+ value: "10d"
+ - equal:
+ path: spec.renewBefore
+ value: "5d"
+ - hasDocuments:
+ count: 1
+ templates:
+ - webhook-certificate.yaml
+ - it: should not create the webhook secret
+ set:
+ webhook.certManager.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+ template: webhook-secret.yaml
+ - it: should not create the secret nor the certificate
+ set:
+ webhook.certManager.enabled: true
+ webhook.certManager.cert.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+ templates:
+ - webhook-secret.yaml
+ - webhook-certificate.yaml
+ - it: should
+ set:
+ webhook.certManager.enabled: true
+ asserts:
+ - equal:
+ path: metadata.name
+ value: "RELEASE-NAME-external-secrets-webhook"
+ - hasDocuments:
+ count: 1
+ template: webhook-certificate.yaml
+ - it: should allow using a cluster issuer
+ set:
+ webhook.certManager.enabled: true
+ webhook.certManager.cert.issuerRef.kind: ClusterIssuer
+ webhook.certManager.cert.issuerRef.name: my-other-issuer
+ asserts:
+ - equal:
+ path: spec.issuerRef.kind
+ value: "ClusterIssuer"
+ - equal:
+ path: spec.issuerRef.name
+ value: "my-other-issuer"
+ templates:
+ - webhook-certificate.yaml
+ - it: should add annotations to the webhook
+ set:
+ webhook.create: true
+ webhook.certManager.enabled: true
+ webhook.certManager.addInjectorAnnotations: true
+ asserts:
+ - equal:
+ path: metadata.annotations["cert-manager.io/inject-ca-from"]
+ value: "NAMESPACE/RELEASE-NAME-external-secrets-webhook"
+ templates:
+ - validatingwebhook.yaml
+ - crds/externalsecret.yaml
+ - it: should not add annotations to the webhook
+ set:
+ webhook.create: true
+ webhook.certManager.enabled: true
+ webhook.certManager.addInjectorAnnotations: false
+ asserts:
+ - isNull:
+ path: metadata.annotations["cert-manager.io/inject-ca-from"]
+ # value: "NAMESPACE/RELEASE-NAME-external-secrets-webhook"
+ templates:
+ - validatingwebhook.yaml
+ - crds/externalsecret.yaml
+ - it: should override metrics port
+ set:
+ webhook.metrics.listen.port: 8888
+ templates:
+ - webhook-deployment.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].args[5]
+ value: "--metrics-addr=:8888"
diff --git a/charts/external-secrets/values.schema.json b/charts/external-secrets/values.schema.json
deleted file mode 100644
index 9368909..0000000
--- a/charts/external-secrets/values.schema.json
+++ /dev/null
@@ -1,970 +0,0 @@
-{
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "properties": {
- "affinity": {
- "properties": {},
- "type": "object"
- },
- "bitwarden-sdk-server": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "certController": {
- "properties": {
- "affinity": {
- "properties": {},
- "type": "object"
- },
- "create": {
- "type": "boolean"
- },
- "deploymentAnnotations": {
- "properties": {},
- "type": "object"
- },
- "extraArgs": {
- "properties": {},
- "type": "object"
- },
- "extraEnv": {
- "type": "array"
- },
- "extraVolumeMounts": {
- "type": "array"
- },
- "extraVolumes": {
- "type": "array"
- },
- "fullnameOverride": {
- "type": "string"
- },
- "hostNetwork": {
- "type": "boolean"
- },
- "image": {
- "properties": {
- "flavour": {
- "type": "string"
- },
- "pullPolicy": {
- "type": "string"
- },
- "repository": {
- "type": "string"
- },
- "tag": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "imagePullSecrets": {
- "type": "array"
- },
- "log": {
- "properties": {
- "level": {
- "type": "string"
- },
- "timeEncoding": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "metrics": {
- "properties": {
- "listen": {
- "properties": {
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "service": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "nameOverride": {
- "type": "string"
- },
- "nodeSelector": {
- "properties": {},
- "type": "object"
- },
- "podAnnotations": {
- "properties": {},
- "type": "object"
- },
- "podDisruptionBudget": {
- "properties": {
- "enabled": {
- "type": "boolean"
- },
- "minAvailable": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "podLabels": {
- "properties": {},
- "type": "object"
- },
- "podSecurityContext": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "priorityClassName": {
- "type": "string"
- },
- "rbac": {
- "properties": {
- "create": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "readinessProbe": {
- "properties": {
- "address": {
- "type": "string"
- },
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "replicaCount": {
- "type": "integer"
- },
- "requeueInterval": {
- "type": "string"
- },
- "resources": {
- "properties": {},
- "type": "object"
- },
- "revisionHistoryLimit": {
- "type": "integer"
- },
- "securityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "readOnlyRootFilesystem": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "runAsUser": {
- "type": "integer"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "serviceAccount": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "automount": {
- "type": "boolean"
- },
- "create": {
- "type": "boolean"
- },
- "extraLabels": {
- "properties": {},
- "type": "object"
- },
- "name": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "tolerations": {
- "type": "array"
- },
- "topologySpreadConstraints": {
- "type": "array"
- }
- },
- "type": "object"
- },
- "commonLabels": {
- "properties": {},
- "type": "object"
- },
- "concurrent": {
- "type": "integer"
- },
- "controllerClass": {
- "type": "string"
- },
- "crds": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "conversion": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "createClusterExternalSecret": {
- "type": "boolean"
- },
- "createClusterGenerator": {
- "type": "boolean"
- },
- "createClusterPushSecret": {
- "type": "boolean"
- },
- "createClusterSecretStore": {
- "type": "boolean"
- },
- "createPushSecret": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "createOperator": {
- "type": "boolean"
- },
- "deploymentAnnotations": {
- "properties": {},
- "type": "object"
- },
- "dnsConfig": {
- "properties": {},
- "type": "object"
- },
- "dnsPolicy": {
- "type": "string"
- },
- "extendedMetricLabels": {
- "type": "boolean"
- },
- "extraArgs": {
- "properties": {},
- "type": "object"
- },
- "extraContainers": {
- "type": "array"
- },
- "extraEnv": {
- "type": "array"
- },
- "extraObjects": {
- "type": "array"
- },
- "extraVolumeMounts": {
- "type": "array"
- },
- "extraVolumes": {
- "type": "array"
- },
- "fullnameOverride": {
- "type": "string"
- },
- "global": {
- "properties": {
- "affinity": {
- "properties": {},
- "type": "object"
- },
- "compatibility": {
- "properties": {
- "openshift": {
- "properties": {
- "adaptSecurityContext": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "nodeSelector": {
- "properties": {},
- "type": "object"
- },
- "tolerations": {
- "type": "array"
- },
- "topologySpreadConstraints": {
- "type": "array"
- }
- },
- "type": "object"
- },
- "grafanaDashboard": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "sidecarLabel": {
- "type": "string"
- },
- "sidecarLabelValue": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "hostNetwork": {
- "type": "boolean"
- },
- "image": {
- "properties": {
- "flavour": {
- "type": "string"
- },
- "pullPolicy": {
- "type": "string"
- },
- "repository": {
- "type": "string"
- },
- "tag": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "imagePullSecrets": {
- "type": "array"
- },
- "installCRDs": {
- "type": "boolean"
- },
- "leaderElect": {
- "type": "boolean"
- },
- "log": {
- "properties": {
- "level": {
- "type": "string"
- },
- "timeEncoding": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "metrics": {
- "properties": {
- "listen": {
- "properties": {
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "service": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "nameOverride": {
- "type": "string"
- },
- "namespaceOverride": {
- "type": "string"
- },
- "nodeSelector": {
- "properties": {},
- "type": "object"
- },
- "openshiftFinalizers": {
- "type": "boolean"
- },
- "podAnnotations": {
- "properties": {},
- "type": "object"
- },
- "podDisruptionBudget": {
- "properties": {
- "enabled": {
- "type": "boolean"
- },
- "minAvailable": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "podLabels": {
- "properties": {},
- "type": "object"
- },
- "podSecurityContext": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "podSpecExtra": {
- "properties": {},
- "type": "object"
- },
- "priorityClassName": {
- "type": "string"
- },
- "processClusterExternalSecret": {
- "type": "boolean"
- },
- "processClusterPushSecret": {
- "type": "boolean"
- },
- "processClusterStore": {
- "type": "boolean"
- },
- "processPushSecret": {
- "type": "boolean"
- },
- "rbac": {
- "properties": {
- "aggregateToEdit": {
- "type": "boolean"
- },
- "aggregateToView": {
- "type": "boolean"
- },
- "create": {
- "type": "boolean"
- },
- "servicebindings": {
- "properties": {
- "create": {
- "type": "boolean"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "replicaCount": {
- "type": "integer"
- },
- "resources": {
- "properties": {},
- "type": "object"
- },
- "revisionHistoryLimit": {
- "type": "integer"
- },
- "scopedNamespace": {
- "type": "string"
- },
- "scopedRBAC": {
- "type": "boolean"
- },
- "securityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "readOnlyRootFilesystem": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "runAsUser": {
- "type": "integer"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "service": {
- "properties": {
- "ipFamilies": {
- "type": "array"
- },
- "ipFamilyPolicy": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "serviceAccount": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "automount": {
- "type": "boolean"
- },
- "create": {
- "type": "boolean"
- },
- "extraLabels": {
- "properties": {},
- "type": "object"
- },
- "name": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "serviceMonitor": {
- "properties": {
- "additionalLabels": {
- "properties": {},
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "honorLabels": {
- "type": "boolean"
- },
- "interval": {
- "type": "string"
- },
- "metricRelabelings": {
- "type": "array"
- },
- "namespace": {
- "type": "string"
- },
- "relabelings": {
- "type": "array"
- },
- "scrapeTimeout": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "tolerations": {
- "type": "array"
- },
- "topologySpreadConstraints": {
- "type": "array"
- },
- "webhook": {
- "properties": {
- "affinity": {
- "properties": {},
- "type": "object"
- },
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "certCheckInterval": {
- "type": "string"
- },
- "certDir": {
- "type": "string"
- },
- "certManager": {
- "properties": {
- "addInjectorAnnotations": {
- "type": "boolean"
- },
- "cert": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "create": {
- "type": "boolean"
- },
- "duration": {
- "type": "string"
- },
- "issuerRef": {
- "properties": {
- "group": {
- "type": "string"
- },
- "kind": {
- "type": "string"
- },
- "name": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "renewBefore": {
- "type": "string"
- },
- "revisionHistoryLimit": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "create": {
- "type": "boolean"
- },
- "deploymentAnnotations": {
- "properties": {},
- "type": "object"
- },
- "extraArgs": {
- "properties": {},
- "type": "object"
- },
- "extraEnv": {
- "type": "array"
- },
- "extraVolumeMounts": {
- "type": "array"
- },
- "extraVolumes": {
- "type": "array"
- },
- "failurePolicy": {
- "type": "string"
- },
- "fullnameOverride": {
- "type": "string"
- },
- "hostNetwork": {
- "type": "boolean"
- },
- "image": {
- "properties": {
- "flavour": {
- "type": "string"
- },
- "pullPolicy": {
- "type": "string"
- },
- "repository": {
- "type": "string"
- },
- "tag": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "imagePullSecrets": {
- "type": "array"
- },
- "log": {
- "properties": {
- "level": {
- "type": "string"
- },
- "timeEncoding": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "lookaheadInterval": {
- "type": "string"
- },
- "metrics": {
- "properties": {
- "listen": {
- "properties": {
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "service": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "nameOverride": {
- "type": "string"
- },
- "nodeSelector": {
- "properties": {},
- "type": "object"
- },
- "podAnnotations": {
- "properties": {},
- "type": "object"
- },
- "podDisruptionBudget": {
- "properties": {
- "enabled": {
- "type": "boolean"
- },
- "minAvailable": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "podLabels": {
- "properties": {},
- "type": "object"
- },
- "podSecurityContext": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "port": {
- "type": "integer"
- },
- "priorityClassName": {
- "type": "string"
- },
- "rbac": {
- "properties": {
- "create": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "readinessProbe": {
- "properties": {
- "address": {
- "type": "string"
- },
- "port": {
- "type": "integer"
- }
- },
- "type": "object"
- },
- "replicaCount": {
- "type": "integer"
- },
- "resources": {
- "properties": {},
- "type": "object"
- },
- "revisionHistoryLimit": {
- "type": "integer"
- },
- "secretAnnotations": {
- "properties": {},
- "type": "object"
- },
- "securityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "readOnlyRootFilesystem": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "runAsUser": {
- "type": "integer"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "service": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "labels": {
- "properties": {},
- "type": "object"
- },
- "loadBalancerIP": {
- "type": "string"
- },
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "serviceAccount": {
- "properties": {
- "annotations": {
- "properties": {},
- "type": "object"
- },
- "automount": {
- "type": "boolean"
- },
- "create": {
- "type": "boolean"
- },
- "extraLabels": {
- "properties": {},
- "type": "object"
- },
- "name": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "tolerations": {
- "type": "array"
- },
- "topologySpreadConstraints": {
- "type": "array"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
-}
diff --git a/charts/external-secrets/values.yaml b/charts/external-secrets/values.yaml
index c8f003e..5b43357 100644
--- a/charts/external-secrets/values.yaml
+++ b/charts/external-secrets/values.yaml
@@ -1,35 +1,16 @@
-global:
- nodeSelector: {}
- tolerations: []
- topologySpreadConstraints: []
- affinity: {}
- compatibility:
- openshift:
- # -- Manages the securityContext properties to make them compatible with OpenShift.
- # Possible values:
- # auto - Apply configurations if it is detected that OpenShift is the target platform.
- # force - Always apply configurations.
- # disabled - No modification applied.
- adaptSecurityContext: auto
-
replicaCount: 1
-bitwarden-sdk-server:
- enabled: false
-
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image:
- repository: oci.external-secrets.io/external-secrets/external-secrets
+ repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
- tag: ""
- # -- The flavour of tag you want to use
# There are different image flavours available, like distroless and ubi.
# Please see GitHub release notes for image tags for these flavors.
- # By default, the distroless image is used.
- flavour: ""
+ # By default the distroless image is used.
+ tag: ""
# -- If set, install and upgrade CRDs through helm chart.
installCRDs: true
@@ -39,21 +20,15 @@ crds:
createClusterExternalSecret: true
# -- If true, create CRDs for Cluster Secret Store.
createClusterSecretStore: true
- # -- If true, create CRDs for Cluster Generator.
- createClusterGenerator: true
- # -- If true, create CRDs for Cluster Push Secret.
- createClusterPushSecret: true
# -- If true, create CRDs for Push Secret.
createPushSecret: true
annotations: {}
conversion:
- # -- Conversion is disabled by default as we stopped supporting v1alpha1.
- enabled: false
+ enabled: true
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
-namespaceOverride: ""
# -- Additional labels added to all helm chart resources.
commonLabels: {}
@@ -78,15 +53,9 @@ scopedNamespace: ""
# and implicitly disable cluster stores and cluster external secrets
scopedRBAC: false
-# -- If true the OpenShift finalizer permissions will be added to RBAC
-openshiftFinalizers: true
-
# -- if true, the operator will process cluster external secret. Else, it will ignore them.
processClusterExternalSecret: true
-# -- if true, the operator will process cluster push secret. Else, it will ignore them.
-processClusterPushSecret: true
-
# -- if true, the operator will process cluster store. Else, it will ignore them.
processClusterStore: true
@@ -99,15 +68,6 @@ createOperator: true
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
# a time.
concurrent: 1
-# -- Specifices Log Params to the External Secrets Operator
-log:
- level: info
- timeEncoding: epoch
-service:
- # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
- ipFamilyPolicy: ""
- # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
- ipFamilies: []
serviceAccount:
# -- Specifies whether a service account should be created.
@@ -130,12 +90,6 @@ rbac:
# -- Specifies whether a clusterrole to give servicebindings read access should be created.
create: true
- # -- Specifies whether permissions are aggregated to the view ClusterRole
- aggregateToView: true
-
- # -- Specifies whether permissions are aggregated to the edit ClusterRole
- aggregateToEdit: true
-
## -- Extra environment variables to add to container.
extraEnv: []
@@ -145,9 +99,6 @@ extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
-## -- Extra Kubernetes objects to deploy with the helm chart
-extraObjects: []
-
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
@@ -162,8 +113,7 @@ podAnnotations: {}
podLabels: {}
-podSecurityContext:
- enabled: true
+podSecurityContext: {}
# fsGroup: 2000
securityContext:
@@ -171,7 +121,6 @@ securityContext:
capabilities:
drop:
- ALL
- enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
@@ -235,21 +184,6 @@ metrics:
# -- Additional service annotations
annotations: {}
-grafanaDashboard:
- # -- If true creates a Grafana dashboard.
- enabled: false
-
- # -- Label that ConfigMaps should have to be loaded as dashboards.
- sidecarLabel: "grafana_dashboard"
-
- # -- Label value that ConfigMaps should have to be loaded as dashboards.
- sidecarLabelValue: "1"
-
- # -- Annotations that ConfigMaps can have to get configured in Grafana,
- # See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
- # https://github.com/grafana/helm-charts/tree/main/charts/grafana
- annotations: {}
-
nodeSelector: {}
tolerations: []
@@ -271,19 +205,14 @@ podDisruptionBudget:
hostNetwork: false
webhook:
- # -- Annotations to place on validating webhook configuration.
- annotations: {}
- # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
+ # -- Specifies whether a webhook deployment be created.
create: true
# -- Specifices the time to check if the cert is valid
certCheckInterval: "5m"
# -- Specifices the lookaheadInterval for certificate validity
lookaheadInterval: ""
replicaCount: 1
- # -- Specifices Log Params to the Webhook
- log:
- level: info
- timeEncoding: epoch
+
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
@@ -293,12 +222,10 @@ webhook:
# -- Specifies if webhook pod should use hostNetwork or not.
hostNetwork: false
image:
- repository: oci.external-secrets.io/external-secrets/external-secrets
+ repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
- # -- The image tag to use. The default is the chart appVersion.
+ # -- The image tag to use. The default is the chart appVersion.
tag: ""
- # -- The flavour of tag you want to use
- flavour: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
@@ -344,12 +271,7 @@ webhook:
name: "my-issuer"
# -- Set the requested duration (i.e. lifetime) of the Certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
- # One year by default.
- duration: "8760h"
- # -- Set the revisionHistoryLimit on the Certificate. See
- # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
- # Defaults to 0 (ignored).
- revisionHistoryLimit: 0
+ duration: ""
# -- How long before the currently issued certificate’s expiry
# cert-manager should renew the certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
@@ -421,8 +343,7 @@ webhook:
podLabels: {}
- podSecurityContext:
- enabled: true
+ podSecurityContext: {}
# fsGroup: 2000
securityContext:
@@ -430,7 +351,6 @@ webhook:
capabilities:
drop:
- ALL
- enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
@@ -442,37 +362,19 @@ webhook:
# cpu: 10m
# memory: 32Mi
- # -- Manage the service through which the webhook is reached.
- service:
- # -- Whether the service object should be enabled or not (it is expected to exist).
- enabled: true
- # -- Custom annotations for the webhook service.
- annotations: {}
- # -- Custom labels for the webhook service.
- labels: {}
- # -- The service type of the webhook service.
- type: ClusterIP
- # -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
- # Check the documentation of your load balancer provider to see if/how this should be used.
- loadBalancerIP: ""
-
certController:
# -- Specifies whether a certificate controller deployment be created.
create: true
requeueInterval: "5m"
replicaCount: 1
- # -- Specifices Log Params to the Certificate Controller
- log:
- level: info
- timeEncoding: epoch
+
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image:
- repository: oci.external-secrets.io/external-secrets/external-secrets
+ repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
tag: ""
- flavour: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
@@ -553,8 +455,7 @@ certController:
podLabels: {}
- podSecurityContext:
- enabled: true
+ podSecurityContext: {}
# fsGroup: 2000
securityContext:
@@ -562,7 +463,6 @@ certController:
capabilities:
drop:
- ALL
- enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
@@ -574,9 +474,6 @@ certController:
# cpu: 10m
# memory: 32Mi
-# -- Specifies `dnsPolicy` to deployment
-dnsPolicy: ClusterFirst
-
# -- Specifies `dnsOptions` to deployment
dnsConfig: {}
diff --git a/manifests/external-secrets/values.yaml b/manifests/external-secrets/values.yaml
index d4411b8..0ca6d7c 100644
--- a/manifests/external-secrets/values.yaml
+++ b/manifests/external-secrets/values.yaml
@@ -1,16 +1,16 @@
+installCRDs: true
+
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v0.9.19
pullPolicy: IfNotPresent
-
-installCRDs: true
+ flavour: default
webhook:
enabled: true
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v0.9.19
- pullPolicy: IfNotPresent
flavour: webhook
certController:
@@ -18,8 +18,4 @@ certController:
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v0.9.19
- pullPolicy: IfNotPresent
flavour: cert-controller
-
-serviceAccount:
- create: true
diff --git a/values.yaml b/values.yaml
new file mode 100644
index 0000000..d4411b8
--- /dev/null
+++ b/values.yaml
@@ -0,0 +1,25 @@
+image:
+ repository: ghcr.io/external-secrets/external-secrets
+ tag: v0.9.19
+ pullPolicy: IfNotPresent
+
+installCRDs: true
+
+webhook:
+ enabled: true
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ tag: v0.9.19
+ pullPolicy: IfNotPresent
+ flavour: webhook
+
+certController:
+ enabled: true
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ tag: v0.9.19
+ pullPolicy: IfNotPresent
+ flavour: cert-controller
+
+serviceAccount:
+ create: true