mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
fd53e76247
Co-authored-by: Sebastián Gómez <sebastiangomezcorrea@gmail.com> Co-authored-by: Lucas Severo <lucassalves65@gmail.com> Co-authored-by: Joey Brayshaw <joeybrayshaw@gmail.com> Co-authored-by: Elsa Chelala <elsachelala@gmail.com> Co-authored-by: choilmto <choilmto@gmail.com> Co-authored-by: Adrian Mouat <adrian.mouat@gmail.com> Co-authored-by: ricardoptcosta <ricardoptcosta@gmail.com> Co-authored-by: Gabi Beyer <Gabrielle.Beyer@container-solutions.com> Co-authored-by: Tomasz Tarczynski <ttarczynski@users.noreply.github.com> Co-authored-by: Mircea Cosbuc <mircea.cosbuc@container-solutions.com>
577 lines
30 KiB
YAML
577 lines
30 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.5.0
|
|
creationTimestamp: null
|
|
name: clustersecretstores.external-secrets.io
|
|
spec:
|
|
group: external-secrets.io
|
|
names:
|
|
categories:
|
|
- externalsecrets
|
|
kind: ClusterSecretStore
|
|
listKind: ClusterSecretStoreList
|
|
plural: clustersecretstores
|
|
shortNames:
|
|
- css
|
|
singular: clustersecretstore
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterSecretStore represents a secure external location for
|
|
storing secrets, which can be referenced as part of `storeRef` fields.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: SecretStoreSpec defines the desired state of SecretStore.
|
|
properties:
|
|
controller:
|
|
description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
|
|
The KES controller is instantiated with a specific controller name
|
|
and filters ES based on this property'
|
|
type: string
|
|
provider:
|
|
description: Used to configure the provider. Only one provider may
|
|
be set
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
aws:
|
|
description: AWS configures this store to sync secrets using AWS
|
|
Secret Manager provider
|
|
properties:
|
|
auth:
|
|
description: 'Auth defines the information necessary to authenticate
|
|
against AWS if not set aws sdk will infer credentials from
|
|
your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
nullable: true
|
|
properties:
|
|
secretRef:
|
|
description: AWSAuthSecretRef holds secret references
|
|
for aws credentials both AccessKeyID and SecretAccessKey
|
|
must be defined in order to properly authenticate.
|
|
properties:
|
|
accessKeyIDSecretRef:
|
|
description: The AccessKeyID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
region:
|
|
description: AWS Region to be used for the provider
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the SecretManager provider
|
|
will assume
|
|
type: string
|
|
service:
|
|
description: Service defines which service should be used
|
|
to fetch the secrets
|
|
enum:
|
|
- SecretsManager
|
|
- ParameterStore
|
|
type: string
|
|
required:
|
|
- region
|
|
- service
|
|
type: object
|
|
azurekv:
|
|
description: AzureKV configures this store to sync secrets using
|
|
Azure Key Vault provider
|
|
properties:
|
|
authSecretRef:
|
|
description: Auth configures how the operator authenticates
|
|
with Azure.
|
|
properties:
|
|
clientId:
|
|
description: The Azure clientId of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientSecret:
|
|
description: The Azure ClientSecret of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- clientId
|
|
- clientSecret
|
|
type: object
|
|
tenantId:
|
|
description: TenantID configures the Azure Tenant to send
|
|
requests to.
|
|
type: string
|
|
vaultUrl:
|
|
description: Vault Url from which the secrets to be fetched
|
|
from.
|
|
type: string
|
|
required:
|
|
- authSecretRef
|
|
- tenantId
|
|
- vaultUrl
|
|
type: object
|
|
gcpsm:
|
|
description: GCPSM configures this store to sync secrets using
|
|
Google Cloud Platform Secret Manager provider
|
|
properties:
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against GCP
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
projectID:
|
|
description: ProjectID project where secret is located
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
ibm:
|
|
description: IBM configures this store to sync secrets using IBM
|
|
Cloud provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the IBM secrets manager.
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
secretApiKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
serviceUrl:
|
|
description: ServiceURL is the Endpoint URL that is specific
|
|
to the Secrets Manager service instance
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
vault:
|
|
description: Vault configures this store to sync secrets using
|
|
Hashi provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the
|
|
App Role auth mechanism, with the role and secret stored
|
|
in a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
default: approle
|
|
description: 'Path where the App Role authentication
|
|
backend is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend
|
|
in Vault.
|
|
type: string
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the
|
|
app role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
jwt:
|
|
description: Jwt authenticates with Vault by passing role
|
|
and JWT token using the JWT/OIDC authentication method
|
|
properties:
|
|
role:
|
|
description: Role is a JWT role to authenticate using
|
|
the JWT/OIDC Vault authentication method
|
|
type: string
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing JWT token to authenticate with Vault
|
|
using the JWT/OIDC authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret
|
|
resource to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
default: kubernetes
|
|
description: 'Path where the Kubernetes authentication
|
|
backend is mounted in Vault, e.g: "kubernetes"'
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault
|
|
Role to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: Optional secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with
|
|
Vault. If a name is specified without a key, `token`
|
|
is the default. If one is not specified, the one
|
|
bound to the controller will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
serviceAccountRef:
|
|
description: Optional service account field containing
|
|
the name of a kubernetes ServiceAccount. If the
|
|
service account is specified, the service account
|
|
secret token JWT will be used for authenticating
|
|
with Vault. If the service account selector is not
|
|
supplied, the secretRef will be used instead.
|
|
properties:
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- mountPath
|
|
- role
|
|
type: object
|
|
ldap:
|
|
description: Ldap authenticates with Vault by passing
|
|
username/password pair using the LDAP authentication
|
|
method
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing password for the LDAP user used to authenticate
|
|
with Vault using the LDAP authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
username:
|
|
description: Username is a LDAP user name used to
|
|
authenticate using the LDAP Vault authentication
|
|
method
|
|
type: string
|
|
required:
|
|
- username
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by
|
|
presenting a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault
|
|
server certificate. Only used if the Server URL is using
|
|
HTTPS protocol. This parameter is ignored for plain HTTP
|
|
protocol connection. If not set the system root certificates
|
|
are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a
|
|
set of features within Vault Enterprise that allows Vault
|
|
environments to support Secure Multi-tenancy. e.g: "ns1".
|
|
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault KV backend
|
|
endpoint, e.g: "secret". The v2 KV secret engine version
|
|
specific "/data" path suffix for fetching secrets from Vault
|
|
is optional and will be appended if not present in specified
|
|
path.'
|
|
type: string
|
|
server:
|
|
description: 'Server is the connection address for the Vault
|
|
server, e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
version:
|
|
default: v2
|
|
description: Version is the Vault KV secret engine version.
|
|
This can be either "v1" or "v2". Version defaults to "v2".
|
|
enum:
|
|
- v1
|
|
- v2
|
|
type: string
|
|
required:
|
|
- auth
|
|
- path
|
|
- server
|
|
type: object
|
|
type: object
|
|
required:
|
|
- provider
|
|
type: object
|
|
status:
|
|
description: SecretStoreStatus defines the observed state of the SecretStore.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
properties:
|
|
lastTransitionTime:
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
type: string
|
|
reason:
|
|
type: string
|
|
status:
|
|
type: string
|
|
type:
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|