external-secrets/docs/api/spec.md at 388158a4d47bf07969092c7ee4c5c49fd43ee98b

mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00

* fix: issues with generators

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* fix generator RBAC permissions for controller

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* fix docs for UUID generator

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* update tilt to 0.33.10

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* explicitly specify generator RBAC roles

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* update helm test with new entries

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

2024-12-01 08:52:39 +01:00

179 KiB

Raw Blame History

Packages:

external-secrets.io/v1beta1

external-secrets.io/v1beta1

Package v1beta1 contains resources for external-secrets

Resource Types:

AWSAuth

(Appears on: AWSProvider)

AWSAuth tells the controller how to do authentication with aws. Only one of secretRef or jwt can be specified. if none is specified the controller will load credentials using the aws sdk defaults.

Field	Description
`secretRef` AWSAuthSecretRef	(Optional)
`jwt` AWSJWTAuth	(Optional)

AWSAuthSecretRef

(Appears on: AWSAuth)

AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.

Field	Description
`accessKeyIDSecretRef` External Secrets meta/v1.SecretKeySelector	The AccessKeyID is used for authentication
`secretAccessKeySecretRef` External Secrets meta/v1.SecretKeySelector	The SecretAccessKey is used for authentication
`sessionTokenSecretRef` External Secrets meta/v1.SecretKeySelector	The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

AWSJWTAuth

(Appears on: AWSAuth)

Authenticate against AWS using service account tokens.

Field	Description
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector

AWSProvider

(Appears on: SecretStoreProvider)

AWSProvider configures a store to sync secrets with AWS.

Field	Description
`service` AWSServiceType	Service defines which service should be used to fetch the secrets
`auth` AWSAuth	(Optional) Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
`role` string	(Optional) Role is a Role ARN which the provider will assume
`region` string	AWS Region to be used for the provider
`additionalRoles` []string	(Optional) AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
`externalID` string	AWS External ID set on assumed IAM roles
`sessionTags` []github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1.Tag*	(Optional) AWS STS assume role session tags
`secretsManager` SecretsManager	(Optional) SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
`transitiveTagKeys` []string*	(Optional) AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
`prefix` string	(Optional) Prefix adds a prefix to all retrieved values.

AWSServiceType (`string` alias)

(Appears on: AWSProvider)

AWSServiceType is a enum that defines the service/API that is used to fetch the secrets.

Value	Description
"ParameterStore"	AWSServiceParameterStore is the AWS SystemsManager ParameterStore service. see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
"SecretsManager"	AWSServiceSecretsManager is the AWS SecretsManager service. see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

AkeylessAuth

(Appears on: AkeylessProvider)

Field	Description
`secretRef` AkeylessAuthSecretRef	(Optional) Reference to a Secret that contains the details to authenticate with Akeyless.
`kubernetesAuth` AkeylessKubernetesAuth	(Optional) Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.

AkeylessAuthSecretRef

(Appears on: AkeylessAuth)

AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.

Field	Description
`accessID` External Secrets meta/v1.SecretKeySelector	The SecretAccessID is used for authentication
`accessType` External Secrets meta/v1.SecretKeySelector
`accessTypeParam` External Secrets meta/v1.SecretKeySelector

AkeylessKubernetesAuth

(Appears on: AkeylessAuth)

Authenticate with Kubernetes ServiceAccount token stored.

Field	Description
`accessID` string	the Akeyless Kubernetes auth-method access-id
`k8sConfName` string	Kubernetes-auth configuration name in Akeyless-Gateway
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector	(Optional) Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.

AkeylessProvider

(Appears on: SecretStoreProvider)

AkeylessProvider Configures an store to sync secrets using Akeyless KV.

Field	Description
`akeylessGWApiURL` string	Akeyless GW API Url from which the secrets to be fetched from.
`authSecretRef` AkeylessAuth	Auth configures how the operator authenticates with Akeyless.
`caBundle` []byte	(Optional) PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
`caProvider` CAProvider	(Optional) The provider for the CA bundle to use to validate Akeyless Gateway certificate.

AlibabaAuth

(Appears on: AlibabaProvider)

AlibabaAuth contains a secretRef for credentials.

Field	Description
`secretRef` AlibabaAuthSecretRef	(Optional)
`rrsa` AlibabaRRSAAuth	(Optional)

AlibabaAuthSecretRef

(Appears on: AlibabaAuth)

AlibabaAuthSecretRef holds secret references for Alibaba credentials.

Field	Description
`accessKeyIDSecretRef` External Secrets meta/v1.SecretKeySelector	The AccessKeyID is used for authentication
`accessKeySecretSecretRef` External Secrets meta/v1.SecretKeySelector	The AccessKeySecret is used for authentication

AlibabaProvider

(Appears on: SecretStoreProvider)

AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider.

Field	Description
`auth` AlibabaAuth
`regionID` string	Alibaba Region to be used for the provider

AlibabaRRSAAuth

(Appears on: AlibabaAuth)

Authenticate against Alibaba using RRSA.

Field	Description
`oidcProviderArn` string
`oidcTokenFilePath` string
`roleArn` string
`sessionName` string

AzureAuthType (`string` alias)

(Appears on: AzureKVProvider)

AuthType describes how to authenticate to the Azure Keyvault Only one of the following auth types may be specified. If none of the following auth type is specified, the default one is ServicePrincipal.

Value	Description
"ManagedIdentity"	Using Managed Identity to authenticate. Used with aad-pod-identity installed in the cluster.
"ServicePrincipal"	Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
"WorkloadIdentity"	Using Workload Identity service accounts to authenticate.

AzureEnvironmentType (`string` alias)

(Appears on: AzureKVProvider)

AzureEnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud

Value	Description
"ChinaCloud"
"GermanCloud"
"PublicCloud"
"USGovernmentCloud"

AzureKVAuth

(Appears on: AzureKVProvider)

Configuration used to authenticate with Azure.

Field	Description
`clientId` External Secrets meta/v1.SecretKeySelector	(Optional) The Azure clientId of the service principle or managed identity used for authentication.
`tenantId` External Secrets meta/v1.SecretKeySelector	(Optional) The Azure tenantId of the managed identity used for authentication.
`clientSecret` External Secrets meta/v1.SecretKeySelector	(Optional) The Azure ClientSecret of the service principle used for authentication.
`clientCertificate` External Secrets meta/v1.SecretKeySelector	(Optional) The Azure ClientCertificate of the service principle used for authentication.

AzureKVProvider

(Appears on: SecretStoreProvider)

Configures an store to sync secrets using Azure KV.

Field	Description
`authType` AzureAuthType	(Optional) Auth type defines how to authenticate to the keyvault service. Valid values are: - “ServicePrincipal” (default): Using a service principal (tenantId, clientId, clientSecret) - “ManagedIdentity”: Using Managed Identity assigned to the pod (see aad-pod-identity)
`vaultUrl` string	Vault Url from which the secrets to be fetched from.
`tenantId` string	(Optional) TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
`environmentType` AzureEnvironmentType	EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
`authSecretRef` AzureKVAuth	(Optional) Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector	(Optional) ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
`identityId` string	(Optional) If multiple Managed Identity is assigned to the pod, you can select the one to be used

BeyondTrustProviderSecretRef

(Appears on: BeyondtrustAuth)

Field	Description
`value` string	(Optional) Value can be specified directly to set a value without using a secret.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) SecretRef references a key in a secret that will be used as value.

BeyondtrustAuth

(Appears on: BeyondtrustProvider)

Configures a store to sync secrets using BeyondTrust Password Safe.

Field	Description
`apiKey` BeyondTrustProviderSecretRef	APIKey If not provided then ClientID/ClientSecret become required.
`clientId` BeyondTrustProviderSecretRef	ClientID is the API OAuth Client ID.
`clientSecret` BeyondTrustProviderSecretRef	ClientSecret is the API OAuth Client Secret.
`certificate` BeyondTrustProviderSecretRef	Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
`certificateKey` BeyondTrustProviderSecretRef	Certificate private key (key.pem). For use when authenticating with an OAuth client Id

BeyondtrustProvider

(Appears on: SecretStoreProvider)

Field	Description
`auth` BeyondtrustAuth	Auth configures how the operator authenticates with Beyondtrust.
`server` BeyondtrustServer	Auth configures how API server works.

BeyondtrustServer

(Appears on: BeyondtrustProvider)

Configures a store to sync secrets using BeyondTrust Password Safe.

Field	Description
`apiUrl` string
`retrievalType` string	The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
`separator` string	A character that separates the folder names.
`verifyCA` bool
`clientTimeOutSeconds` int	Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.

BitwardenSecretsManagerAuth

(Appears on: BitwardenSecretsManagerProvider)

BitwardenSecretsManagerAuth contains the ref to the secret that contains the machine account token.

Field	Description
`secretRef` BitwardenSecretsManagerSecretRef

BitwardenSecretsManagerProvider

(Appears on: SecretStoreProvider)

BitwardenSecretsManagerProvider configures a store to sync secrets with a Bitwarden Secrets Manager instance.

Field	Description
`apiURL` string
`identityURL` string
`bitwardenServerSDKURL` string
`caBundle` string	(Optional) Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed.
`caProvider` CAProvider	(Optional) see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
`organizationID` string	OrganizationID determines which organization this secret store manages.
`projectID` string	ProjectID determines which project this secret store manages.
`auth` BitwardenSecretsManagerAuth	Auth configures how secret-manager authenticates with a bitwarden machine account instance. Make sure that the token being used has permissions on the given secret.

BitwardenSecretsManagerSecretRef

(Appears on: BitwardenSecretsManagerAuth)

BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.

Field	Description
`credentials` External Secrets meta/v1.SecretKeySelector	AccessToken used for the bitwarden instance.

CAProvider

(Appears on: AkeylessProvider, BitwardenSecretsManagerProvider, ConjurProvider, KubernetesServer, VaultProvider)

Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.

Field	Description
`type` CAProviderType	The type of provider to use such as “Secret”, or “ConfigMap”.
`name` string	The name of the object located at the provider type.
`key` string	The key where the CA certificate can be found in the Secret or ConfigMap.
`namespace` string	(Optional) The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.

CAProviderType (`string` alias)

(Appears on: CAProvider)

Value	Description
"ConfigMap"
"Secret"

CertAuth

(Appears on: KubernetesAuth)

Field	Description
`clientCert` External Secrets meta/v1.SecretKeySelector
`clientKey` External Secrets meta/v1.SecretKeySelector

ChefAuth

(Appears on: ChefProvider)

ChefAuth contains a secretRef for credentials.

Field	Description
`secretRef` ChefAuthSecretRef

ChefAuthSecretRef

(Appears on: ChefAuth)

ChefAuthSecretRef holds secret references for chef server login credentials.

Field	Description
`privateKeySecretRef` External Secrets meta/v1.SecretKeySelector	SecretKey is the Signing Key in PEM format, used for authentication.

ChefProvider

(Appears on: SecretStoreProvider)

ChefProvider configures a store to sync secrets using basic chef server connection credentials.

Field	Description
`auth` ChefAuth	Auth defines the information necessary to authenticate against chef Server
`username` string	UserName should be the user ID on the chef server
`serverUrl` string	ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a “/”

ClusterExternalSecret

ClusterExternalSecret is the Schema for the clusterexternalsecrets API.

Field Description

metadata
Kubernetes meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
ClusterExternalSecretSpec

`externalSecretSpec` ExternalSecretSpec	The spec for the ExternalSecrets to be created
`externalSecretName` string	(Optional) The name of the external secrets to be created. Defaults to the name of the ClusterExternalSecret
`externalSecretMetadata` ExternalSecretMetadata	(Optional) The metadata of the external secrets to be created
`namespaceSelector` Kubernetes meta/v1.LabelSelector	(Optional) The labels to select by to find the Namespaces to create the ExternalSecrets in. Deprecated: Use NamespaceSelectors instead.
`namespaceSelectors` []k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector*	(Optional) A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
`namespaces` []string	(Optional) Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
`refreshTime` Kubernetes meta/v1.Duration	The time in which the controller should reconcile its objects and recheck namespaces for labels.

status
ClusterExternalSecretStatus

ClusterExternalSecretConditionType (`string` alias)

(Appears on: ClusterExternalSecretStatusCondition)

Value	Description
"Ready"

ClusterExternalSecretNamespaceFailure

(Appears on: ClusterExternalSecretStatus)

ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it’s reason.

Field	Description
`namespace` string	Namespace is the namespace that failed when trying to apply an ExternalSecret
`reason` string	(Optional) Reason is why the ExternalSecret failed to apply to the namespace

ClusterExternalSecretSpec

(Appears on: ClusterExternalSecret)

ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.

Field	Description
`externalSecretSpec` ExternalSecretSpec	The spec for the ExternalSecrets to be created
`externalSecretName` string	(Optional) The name of the external secrets to be created. Defaults to the name of the ClusterExternalSecret
`externalSecretMetadata` ExternalSecretMetadata	(Optional) The metadata of the external secrets to be created
`namespaceSelector` Kubernetes meta/v1.LabelSelector	(Optional) The labels to select by to find the Namespaces to create the ExternalSecrets in. Deprecated: Use NamespaceSelectors instead.
`namespaceSelectors` []k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector*	(Optional) A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
`namespaces` []string	(Optional) Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
`refreshTime` Kubernetes meta/v1.Duration	The time in which the controller should reconcile its objects and recheck namespaces for labels.

ClusterExternalSecretStatus

(Appears on: ClusterExternalSecret)

ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.

Field	Description
`externalSecretName` string	ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
`failedNamespaces` []ClusterExternalSecretNamespaceFailure	(Optional) Failed namespaces are the namespaces that failed to apply an ExternalSecret
`provisionedNamespaces` []string	(Optional) ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
`conditions` []ClusterExternalSecretStatusCondition	(Optional)

ClusterExternalSecretStatusCondition

(Appears on: ClusterExternalSecretStatus)

Field	Description
`type` ClusterExternalSecretConditionType
`status` Kubernetes core/v1.ConditionStatus
`message` string	(Optional)

ClusterSecretStore

ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of storeRef fields.

Field Description

metadata
Kubernetes meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
SecretStoreSpec

`controller` string	(Optional) Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property
`provider` SecretStoreProvider	Used to configure the provider. Only one provider may be set
`retrySettings` SecretStoreRetrySettings	(Optional) Used to configure http retries if failed
`refreshInterval` int	(Optional) Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
`conditions` []ClusterSecretStoreCondition	(Optional) Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore

status
SecretStoreStatus

ClusterSecretStoreCondition

(Appears on: SecretStoreSpec)

ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.

Field	Description
`namespaceSelector` Kubernetes meta/v1.LabelSelector	(Optional) Choose namespace using a labelSelector
`namespaces` []string	(Optional) Choose namespaces by name
`namespaceRegexes` []string	(Optional) Choose namespaces by using regex matching

ConjurAPIKey

(Appears on: ConjurAuth)

Field	Description
`account` string
`userRef` External Secrets meta/v1.SecretKeySelector
`apiKeyRef` External Secrets meta/v1.SecretKeySelector

ConjurAuth

(Appears on: ConjurProvider)

Field	Description
`apikey` ConjurAPIKey	(Optional)
`jwt` ConjurJWT	(Optional)

ConjurJWT

(Appears on: ConjurAuth)

Field	Description
`account` string
`serviceID` string	The conjur authn jwt webservice id
`hostId` string	(Optional) Optional HostID for JWT authentication. This may be used depending on how the Conjur JWT authenticator policy is configured.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector	(Optional) Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.

ConjurProvider

(Appears on: SecretStoreProvider)

Field	Description
`url` string
`caBundle` string	(Optional)
`caProvider` CAProvider	(Optional)
`auth` ConjurAuth

DelineaProvider

(Appears on: SecretStoreProvider)

See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.

Field	Description
`clientId` DelineaProviderSecretRef	ClientID is the non-secret part of the credential.
`clientSecret` DelineaProviderSecretRef	ClientSecret is the secret part of the credential.
`tenant` string	Tenant is the chosen hostname / site name.
`urlTemplate` string	(Optional) URLTemplate If unset, defaults to “https://%s.secretsvaultcloud.%s/v1/%s%s”.
`tld` string	(Optional) TLD is based on the server location that was chosen during provisioning. If unset, defaults to “com”.

DelineaProviderSecretRef

(Appears on: DelineaProvider)

Field	Description
`value` string	(Optional) Value can be specified directly to set a value without using a secret.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) SecretRef references a key in a secret that will be used as value.

Device42Auth

(Appears on: Device42Provider)

Field	Description
`secretRef` Device42SecretRef

Device42Provider

(Appears on: SecretStoreProvider)

Device42Provider configures a store to sync secrets with a Device42 instance.

Field	Description
`host` string	URL configures the Device42 instance URL.
`auth` Device42Auth	Auth configures how secret-manager authenticates with a Device42 instance.

Device42SecretRef

(Appears on: Device42Auth)

Field	Description
`credentials` External Secrets meta/v1.SecretKeySelector	(Optional) Username / Password is used for authentication.

DopplerAuth

(Appears on: DopplerProvider)

Field	Description
`secretRef` DopplerAuthSecretRef

DopplerAuthSecretRef

(Appears on: DopplerAuth)

Field	Description
`dopplerToken` External Secrets meta/v1.SecretKeySelector	The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.

DopplerProvider

(Appears on: SecretStoreProvider)

DopplerProvider configures a store to sync secrets using the Doppler provider. Project and Config are required if not using a Service Token.

Field	Description
`auth` DopplerAuth	Auth configures how the Operator authenticates with the Doppler API
`project` string	(Optional) Doppler project (required if not using a Service Token)
`config` string	(Optional) Doppler config (required if not using a Service Token)
`nameTransformer` string	(Optional) Environment variable compatible name transforms that change secret names to a different format
`format` string	(Optional) Format enables the downloading of secrets as a file (string)

ExternalSecret

ExternalSecret is the Schema for the external-secrets API.

Field Description

metadata
Kubernetes meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
ExternalSecretSpec

`secretStoreRef` SecretStoreRef	(Optional)
`target` ExternalSecretTarget	(Optional)
`refreshInterval` Kubernetes meta/v1.Duration	RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h” Example values: “1h”, “2h30m”, “5d”, “10s” May be set to zero to fetch and create it once. Defaults to 1h.
`data` []ExternalSecretData	(Optional) Data defines the connection between the Kubernetes Secret keys and the Provider data
`dataFrom` []ExternalSecretDataFromRemoteRef	(Optional) DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order

status
ExternalSecretStatus

ExternalSecretConditionType (`string` alias)

(Appears on: ExternalSecretStatusCondition)

Value	Description
"Deleted"
"Ready"

ExternalSecretConversionStrategy (`string` alias)

(Appears on: ExternalSecretDataRemoteRef, ExternalSecretFind)

Value	Description
"Default"
"Unicode"

ExternalSecretCreationPolicy (`string` alias)

(Appears on: ExternalSecretTarget)

ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.

Value	Description
"Merge"	Merge does not create the Secret, but merges the data fields to the Secret.
"None"	None does not create a Secret (future use with injector).
"Orphan"	Orphan creates the Secret and does not set the ownerReference. I.e. it will be orphaned after the deletion of the ExternalSecret.
"Owner"	Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.

ExternalSecretData

(Appears on: ExternalSecretSpec)

ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.

Field	Description
`secretKey` string	The key in the Kubernetes Secret to store the value.
`remoteRef` ExternalSecretDataRemoteRef	RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
`sourceRef` StoreSourceRef	SourceRef allows you to override the source from which the value will be pulled.

ExternalSecretDataFromRemoteRef

(Appears on: ExternalSecretSpec)

Field	Description
`extract` ExternalSecretDataRemoteRef	(Optional) Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
`find` ExternalSecretFind	(Optional) Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
`rewrite` []ExternalSecretRewrite	(Optional) Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
`sourceRef` StoreGeneratorSourceRef	SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values

ExternalSecretDataRemoteRef

(Appears on: ExternalSecretData, ExternalSecretDataFromRemoteRef)

ExternalSecretDataRemoteRef defines Provider data location.

Field	Description
`key` string	Key is the key used in the Provider, mandatory
`metadataPolicy` ExternalSecretMetadataPolicy	(Optional) Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
`property` string	(Optional) Used to select a specific property of the Provider value (if a map), if supported
`version` string	(Optional) Used to select a specific version of the Provider value, if supported
`conversionStrategy` ExternalSecretConversionStrategy	(Optional) Used to define a conversion Strategy
`decodingStrategy` ExternalSecretDecodingStrategy	(Optional) Used to define a decoding Strategy

ExternalSecretDecodingStrategy (`string` alias)

(Appears on: ExternalSecretDataRemoteRef, ExternalSecretFind)

Value	Description
"Auto"
"Base64"
"Base64URL"
"None"

ExternalSecretDeletionPolicy (`string` alias)

(Appears on: ExternalSecretTarget)

ExternalSecretDeletionPolicy defines rules on how to delete the resulting Secret.

Value	Description
"Delete"	Delete deletes the secret if all provider secrets are deleted. If a secret gets deleted on the provider side and is not accessible anymore this is not considered an error and the ExternalSecret does not go into SecretSyncedError status.
"Merge"	Merge removes keys in the secret, but not the secret itself. If a secret gets deleted on the provider side and is not accessible anymore this is not considered an error and the ExternalSecret does not go into SecretSyncedError status.
"Retain"	Retain will retain the secret if all provider secrets have been deleted. If a provider secret does not exist the ExternalSecret gets into the SecretSyncedError status.

ExternalSecretFind

(Appears on: ExternalSecretDataFromRemoteRef)

Field	Description
`path` string	(Optional) A root path to start the find operations.
`name` FindName	(Optional) Finds secrets based on the name.
`tags` map[string]string	(Optional) Find secrets based on tags.
`conversionStrategy` ExternalSecretConversionStrategy	(Optional) Used to define a conversion Strategy
`decodingStrategy` ExternalSecretDecodingStrategy	(Optional) Used to define a decoding Strategy

ExternalSecretMetadata

(Appears on: ClusterExternalSecretSpec)

ExternalSecretMetadata defines metadata fields for the ExternalSecret generated by the ClusterExternalSecret.

Field	Description
`annotations` map[string]string	(Optional)
`labels` map[string]string	(Optional)

ExternalSecretMetadataPolicy (`string` alias)

(Appears on: ExternalSecretDataRemoteRef)

Value	Description
"Fetch"
"None"

ExternalSecretRewrite

(Appears on: ExternalSecretDataFromRemoteRef)

Field	Description
`regexp` ExternalSecretRewriteRegexp	(Optional) Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
`transform` ExternalSecretRewriteTransform	(Optional) Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.

ExternalSecretRewriteRegexp

(Appears on: ExternalSecretRewrite)

Field	Description
`source` string	Used to define the regular expression of a re.Compiler.
`target` string	Used to define the target pattern of a ReplaceAll operation.

ExternalSecretRewriteTransform

(Appears on: ExternalSecretRewrite)

Field	Description
`template` string	Used to define the template to apply on the secret name. `.value` will specify the secret name in the template.

ExternalSecretSpec

(Appears on: ClusterExternalSecretSpec, ExternalSecret)

ExternalSecretSpec defines the desired state of ExternalSecret.

Field	Description
`secretStoreRef` SecretStoreRef	(Optional)
`target` ExternalSecretTarget	(Optional)
`refreshInterval` Kubernetes meta/v1.Duration	RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h” Example values: “1h”, “2h30m”, “5d”, “10s” May be set to zero to fetch and create it once. Defaults to 1h.
`data` []ExternalSecretData	(Optional) Data defines the connection between the Kubernetes Secret keys and the Provider data
`dataFrom` []ExternalSecretDataFromRemoteRef	(Optional) DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order

ExternalSecretStatus

(Appears on: ExternalSecret)

Field	Description
`refreshTime` Kubernetes meta/v1.Time	refreshTime is the time and date the external secret was fetched and the target secret updated
`syncedResourceVersion` string	SyncedResourceVersion keeps track of the last synced version
`conditions` []ExternalSecretStatusCondition	(Optional)
`binding` Kubernetes core/v1.LocalObjectReference	Binding represents a servicebinding.io Provisioned Service reference to the secret

ExternalSecretStatusCondition

(Appears on: ExternalSecretStatus)

Field	Description
`type` ExternalSecretConditionType
`status` Kubernetes core/v1.ConditionStatus
`reason` string	(Optional)
`message` string	(Optional)
`lastTransitionTime` Kubernetes meta/v1.Time	(Optional)

ExternalSecretTarget

(Appears on: ExternalSecretSpec)

ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.

Field	Description
`name` string	(Optional) The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource
`creationPolicy` ExternalSecretCreationPolicy	(Optional) CreationPolicy defines rules on how to create the resulting Secret. Defaults to “Owner”
`deletionPolicy` ExternalSecretDeletionPolicy	(Optional) DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to “Retain”
`template` ExternalSecretTemplate	(Optional) Template defines a blueprint for the created Secret resource.
`immutable` bool	(Optional) Immutable defines if the final secret will be immutable

ExternalSecretTemplate

(Appears on: ExternalSecretTarget)

ExternalSecretTemplate defines a blueprint for the created Secret resource. we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448

Field	Description
`type` Kubernetes core/v1.SecretType	(Optional)
`engineVersion` TemplateEngineVersion	EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
`metadata` ExternalSecretTemplateMetadata	(Optional)
`mergePolicy` TemplateMergePolicy
`data` map[string]string	(Optional)
`templateFrom` []TemplateFrom	(Optional)

ExternalSecretTemplateMetadata

(Appears on: ExternalSecretTemplate)

ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.

Field	Description
`annotations` map[string]string	(Optional)
`labels` map[string]string	(Optional)

ExternalSecretValidator

FakeProvider

(Appears on: SecretStoreProvider)

FakeProvider configures a fake provider that returns static values.

Field	Description
`data` []FakeProviderData

FakeProviderData

(Appears on: FakeProvider)

Field	Description
`key` string
`value` string
`valueMap` map[string]string	Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.
`version` string

FindName

(Appears on: ExternalSecretFind)

Field	Description
`regexp` string	(Optional) Finds secrets base

FortanixProvider

(Appears on: SecretStoreProvider)

Field	Description
`apiUrl` string	APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
`apiKey` FortanixProviderSecretRef	APIKey is the API token to access SDKMS Applications.

FortanixProviderSecretRef

(Appears on: FortanixProvider)

Field	Description
`secretRef` External Secrets meta/v1.SecretKeySelector	SecretRef is a reference to a secret containing the SDKMS API Key.

GCPSMAuth

(Appears on: GCPSMProvider)

Field	Description
`secretRef` GCPSMAuthSecretRef	(Optional)
`workloadIdentity` GCPWorkloadIdentity	(Optional)

GCPSMAuthSecretRef

(Appears on: GCPSMAuth)

Field	Description
`secretAccessKeySecretRef` External Secrets meta/v1.SecretKeySelector	(Optional) The SecretAccessKey is used for authentication

GCPSMProvider

(Appears on: SecretStoreProvider)

GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.

Field	Description
`auth` GCPSMAuth	(Optional) Auth defines the information necessary to authenticate against GCP
`projectID` string	ProjectID project where secret is located
`location` string	Location optionally defines a location for a secret

GCPWorkloadIdentity

(Appears on: GCPSMAuth)

Field	Description
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector
`clusterLocation` string
`clusterName` string
`clusterProjectID` string

GeneratorRef

(Appears on: StoreGeneratorSourceRef, StoreSourceRef)

GeneratorRef points to a generator custom resource.

Field	Description
`apiVersion` string	Specify the apiVersion of the generator resource
`kind` string	Specify the Kind of the generator resource
`name` string	Specify the name of the generator resource

GenericStore

GenericStore is a common interface for interacting with ClusterSecretStore or a namespaced SecretStore.

GenericStoreValidator

GitlabAuth

(Appears on: GitlabProvider)

Field	Description
`SecretRef` GitlabSecretRef

GitlabProvider

(Appears on: SecretStoreProvider)

Configures a store to sync secrets with a GitLab instance.

Field	Description
`url` string	URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
`auth` GitlabAuth	Auth configures how secret-manager authenticates with a GitLab instance.
`projectID` string	ProjectID specifies a project where secrets are located.
`inheritFromGroups` bool	InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
`groupIDs` []string	GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
`environment` string	Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)

GitlabSecretRef

(Appears on: GitlabAuth)

Field	Description
`accessToken` External Secrets meta/v1.SecretKeySelector	AccessToken is used for authentication.

IBMAuth

(Appears on: IBMProvider)

Field	Description
`secretRef` IBMAuthSecretRef
`containerAuth` IBMAuthContainerAuth

IBMAuthContainerAuth

(Appears on: IBMAuth)

IBM Container-based auth with IAM Trusted Profile.

Field	Description
`profile` string	the IBM Trusted Profile
`tokenLocation` string	Location the token is mounted on the pod
`iamEndpoint` string

IBMAuthSecretRef

(Appears on: IBMAuth)

Field	Description
`secretApiKeySecretRef` External Secrets meta/v1.SecretKeySelector	The SecretAccessKey is used for authentication

IBMProvider

(Appears on: SecretStoreProvider)

Configures an store to sync secrets using a IBM Cloud Secrets Manager backend.

Field	Description
`auth` IBMAuth	Auth configures how secret-manager authenticates with the IBM secrets manager.
`serviceUrl` string	ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance

InfisicalAuth

(Appears on: InfisicalProvider)

Field	Description
`universalAuthCredentials` UniversalAuthCredentials	(Optional)

InfisicalProvider

(Appears on: SecretStoreProvider)

InfisicalProvider configures a store to sync secrets using the Infisical provider.

Field	Description
`auth` InfisicalAuth	Auth configures how the Operator authenticates with the Infisical API
`secretsScope` MachineIdentityScopeInWorkspace
`hostAPI` string	(Optional)

KeeperSecurityProvider

(Appears on: SecretStoreProvider)

KeeperSecurityProvider Configures a store to sync secrets using Keeper Security.

Field	Description
`authRef` External Secrets meta/v1.SecretKeySelector
`folderID` string

KubernetesAuth

(Appears on: KubernetesProvider)

Field	Description
`cert` CertAuth	(Optional) has both clientCert and clientKey as secretKeySelector
`token` TokenAuth	(Optional) use static token to authenticate with
`serviceAccount` External Secrets meta/v1.ServiceAccountSelector	(Optional) points to a service account that should be used for authentication

KubernetesProvider

(Appears on: SecretStoreProvider)

Configures a store to sync secrets with a Kubernetes instance.

Field	Description
`server` KubernetesServer	(Optional) configures the Kubernetes server Address.
`auth` KubernetesAuth	(Optional) Auth configures how secret-manager authenticates with a Kubernetes instance.
`authRef` External Secrets meta/v1.SecretKeySelector	(Optional) A reference to a secret that contains the auth information.
`remoteNamespace` string	(Optional) Remote namespace to fetch the secrets from

KubernetesServer

(Appears on: KubernetesProvider)

Field	Description
`url` string	(Optional) configures the Kubernetes server Address.
`caBundle` []byte	(Optional) CABundle is a base64-encoded CA certificate
`caProvider` CAProvider	(Optional) see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider

MachineIdentityScopeInWorkspace

(Appears on: InfisicalProvider)

Field	Description
`secretsPath` string	(Optional)
`recursive` bool	(Optional)
`environmentSlug` string
`projectSlug` string

NoSecretError

NoSecretError shall be returned when a GetSecret can not find the desired secret. This is used for deletionPolicy.

NotModifiedError

NotModifiedError to signal that the webhook received no changes, and it should just return without doing anything.

OnboardbaseAuthSecretRef

(Appears on: OnboardbaseProvider)

OnboardbaseAuthSecretRef holds secret references for onboardbase API Key credentials.

Field	Description
`apiKeyRef` External Secrets meta/v1.SecretKeySelector	OnboardbaseAPIKey is the APIKey generated by an admin account. It is used to recognize and authorize access to a project and environment within onboardbase
`passcodeRef` External Secrets meta/v1.SecretKeySelector	OnboardbasePasscode is the passcode attached to the API Key

OnboardbaseProvider

(Appears on: SecretStoreProvider)

OnboardbaseProvider configures a store to sync secrets using the Onboardbase provider. Project and Config are required if not using a Service Token.

Field	Description
`auth` OnboardbaseAuthSecretRef	Auth configures how the Operator authenticates with the Onboardbase API
`apiHost` string	APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
`project` string	Project is an onboardbase project that the secrets should be pulled from
`environment` string	Environment is the name of an environmnent within a project to pull the secrets from

OnePasswordAuth

(Appears on: OnePasswordProvider)

OnePasswordAuth contains a secretRef for credentials.

Field	Description
`secretRef` OnePasswordAuthSecretRef

OnePasswordAuthSecretRef

(Appears on: OnePasswordAuth)

OnePasswordAuthSecretRef holds secret references for 1Password credentials.

Field	Description
`connectTokenSecretRef` External Secrets meta/v1.SecretKeySelector	The ConnectToken is used for authentication to a 1Password Connect Server.

OnePasswordProvider

(Appears on: SecretStoreProvider)

OnePasswordProvider configures a store to sync secrets using the 1Password Secret Manager provider.

Field	Description
`auth` OnePasswordAuth	Auth defines the information necessary to authenticate against OnePassword Connect Server
`connectHost` string	ConnectHost defines the OnePassword Connect Server to connect to
`vaults` map[string]int	Vaults defines which OnePassword vaults to search in which order

OracleAuth

(Appears on: OracleProvider)

Field	Description
`tenancy` string	Tenancy is the tenancy OCID where user is located.
`user` string	User is an access OCID specific to the account.
`secretRef` OracleSecretRef	SecretRef to pass through sensitive information.

OraclePrincipalType (`string` alias)

(Appears on: OracleProvider)

Value	Description
"InstancePrincipal"	InstancePrincipal represents a instance principal.
"UserPrincipal"	UserPrincipal represents a user principal.
"Workload"	WorkloadPrincipal represents a workload principal.

OracleProvider

(Appears on: SecretStoreProvider)

Configures an store to sync secrets using a Oracle Vault backend.

Field	Description
`region` string	Region is the region where vault is located.
`vault` string	Vault is the vault’s OCID of the specific vault where secret is located.
`compartment` string	(Optional) Compartment is the vault compartment OCID. Required for PushSecret
`encryptionKey` string	(Optional) EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
`principalType` OraclePrincipalType	(Optional) The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
`auth` OracleAuth	(Optional) Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector	(Optional) ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.

OracleSecretRef

(Appears on: OracleAuth)

Field	Description
`privatekey` External Secrets meta/v1.SecretKeySelector	PrivateKey is the user’s API Signing Key in PEM format, used for authentication.
`fingerprint` External Secrets meta/v1.SecretKeySelector	Fingerprint is the fingerprint of the API private key.

PassboltAuth

(Appears on: PassboltProvider)

Passbolt contains a secretRef for the passbolt credentials.

Field	Description
`passwordSecretRef` External Secrets meta/v1.SecretKeySelector
`privateKeySecretRef` External Secrets meta/v1.SecretKeySelector

PassboltProvider

(Appears on: SecretStoreProvider)

Field	Description
`auth` PassboltAuth	Auth defines the information necessary to authenticate against Passbolt Server
`host` string	Host defines the Passbolt Server to connect to

PasswordDepotAuth

(Appears on: PasswordDepotProvider)

Field	Description
`secretRef` PasswordDepotSecretRef

PasswordDepotProvider

(Appears on: SecretStoreProvider)

Configures a store to sync secrets with a Password Depot instance.

Field	Description
`host` string	URL configures the Password Depot instance URL.
`database` string	Database to use as source
`auth` PasswordDepotAuth	Auth configures how secret-manager authenticates with a Password Depot instance.

PasswordDepotSecretRef

(Appears on: PasswordDepotAuth)

Field	Description
`credentials` External Secrets meta/v1.SecretKeySelector	(Optional) Username / Password is used for authentication.

PreviderAuth

(Appears on: PreviderProvider)

PreviderAuth contains a secretRef for credentials.

Field	Description
`secretRef` PreviderAuthSecretRef	(Optional)

PreviderAuthSecretRef

(Appears on: PreviderAuth)

PreviderAuthSecretRef holds secret references for Previder Vault credentials.

Field	Description
`accessToken` External Secrets meta/v1.SecretKeySelector	The AccessToken is used for authentication

PreviderProvider

(Appears on: SecretStoreProvider)

PreviderProvider configures a store to sync secrets using the Previder Secret Manager provider.

Field	Description
`auth` PreviderAuth
`baseUri` string	(Optional)

Provider

Provider is a common interface for interacting with secret backends.

PulumiProvider

(Appears on: SecretStoreProvider)

Field	Description
`apiUrl` string	APIURL is the URL of the Pulumi API.
`accessToken` PulumiProviderSecretRef	AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
`organization` string	Organization are a space to collaborate on shared projects and stacks. To create a new organization, visit https://app.pulumi.com/ and click “New Organization”.
`project` string	Project is the name of the Pulumi ESC project the environment belongs to.
`environment` string	Environment are YAML documents composed of static key-value pairs, programmatic expressions, dynamically retrieved values from supported providers including all major clouds, and other Pulumi ESC environments. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.

PulumiProviderSecretRef

(Appears on: PulumiProvider)

Field	Description
`secretRef` External Secrets meta/v1.SecretKeySelector	SecretRef is a reference to a secret containing the Pulumi API token.

PushSecretData

PushSecretData is an interface to allow using v1alpha1.PushSecretData content in Provider registered in v1beta1.

PushSecretRemoteRef

PushSecretRemoteRef is an interface to allow using v1alpha1.PushSecretRemoteRef in Provider registered in v1beta1.

ScalewayProvider

(Appears on: SecretStoreProvider)

Field	Description
`apiUrl` string	(Optional) APIURL is the url of the api to use. Defaults to https://api.scaleway.com
`region` string	Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone
`projectId` string	ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
`accessKey` ScalewayProviderSecretRef	AccessKey is the non-secret part of the api key.
`secretKey` ScalewayProviderSecretRef	SecretKey is the non-secret part of the api key.

ScalewayProviderSecretRef

(Appears on: ScalewayProvider)

Field	Description
`value` string	(Optional) Value can be specified directly to set a value without using a secret.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) SecretRef references a key in a secret that will be used as value.

SecretServerProvider

(Appears on: SecretStoreProvider)

See https://github.com/DelineaXPM/tss-sdk-go/blob/main/server/server.go.

Field	Description
`username` SecretServerProviderRef	Username is the secret server account username.
`password` SecretServerProviderRef	Password is the secret server account password.
`serverURL` string	ServerURL URL to your secret server installation

SecretServerProviderRef

(Appears on: SecretServerProvider)

Field	Description
`value` string	(Optional) Value can be specified directly to set a value without using a secret.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) SecretRef references a key in a secret that will be used as value.

SecretStore

SecretStore represents a secure external location for storing secrets, which can be referenced as part of storeRef fields.

Field Description

metadata
Kubernetes meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec
SecretStoreSpec

`controller` string	(Optional) Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property
`provider` SecretStoreProvider	Used to configure the provider. Only one provider may be set
`retrySettings` SecretStoreRetrySettings	(Optional) Used to configure http retries if failed
`refreshInterval` int	(Optional) Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
`conditions` []ClusterSecretStoreCondition	(Optional) Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore

status
SecretStoreStatus

SecretStoreCapabilities (`string` alias)

(Appears on: SecretStoreStatus)

SecretStoreCapabilities defines the possible operations a SecretStore can do.

Value	Description
"ReadOnly"
"ReadWrite"
"WriteOnly"

SecretStoreConditionType (`string` alias)

(Appears on: SecretStoreStatusCondition)

Value	Description
"Ready"

SecretStoreProvider

(Appears on: SecretStoreSpec)

SecretStoreProvider contains the provider-specific configuration.

Field	Description
`aws` AWSProvider	(Optional) AWS configures this store to sync secrets using AWS Secret Manager provider
`azurekv` AzureKVProvider	(Optional) AzureKV configures this store to sync secrets using Azure Key Vault provider
`akeyless` AkeylessProvider	(Optional) Akeyless configures this store to sync secrets using Akeyless Vault provider
`bitwardensecretsmanager` BitwardenSecretsManagerProvider	(Optional) BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
`vault` VaultProvider	(Optional) Vault configures this store to sync secrets using Hashi provider
`gcpsm` GCPSMProvider	(Optional) GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
`oracle` OracleProvider	(Optional) Oracle configures this store to sync secrets using Oracle Vault provider
`ibm` IBMProvider	(Optional) IBM configures this store to sync secrets using IBM Cloud provider
`yandexcertificatemanager` YandexCertificateManagerProvider	(Optional) YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
`yandexlockbox` YandexLockboxProvider	(Optional) YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
`gitlab` GitlabProvider	(Optional) GitLab configures this store to sync secrets using GitLab Variables provider
`alibaba` AlibabaProvider	(Optional) Alibaba configures this store to sync secrets using Alibaba Cloud provider
`onepassword` OnePasswordProvider	(Optional) OnePassword configures this store to sync secrets using the 1Password Cloud provider
`webhook` WebhookProvider	(Optional) Webhook configures this store to sync secrets using a generic templated webhook
`kubernetes` KubernetesProvider	(Optional) Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
`fake` FakeProvider	(Optional) Fake configures a store with static key/value pairs
`senhasegura` SenhaseguraProvider	(Optional) Senhasegura configures this store to sync secrets using senhasegura provider
`scaleway` ScalewayProvider	(Optional) Scaleway
`doppler` DopplerProvider	(Optional) Doppler configures this store to sync secrets using the Doppler provider
`previder` PreviderProvider	(Optional) Previder configures this store to sync secrets using the Previder provider
`onboardbase` OnboardbaseProvider	(Optional) Onboardbase configures this store to sync secrets using the Onboardbase provider
`keepersecurity` KeeperSecurityProvider	(Optional) KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
`conjur` ConjurProvider	(Optional) Conjur configures this store to sync secrets using conjur provider
`delinea` DelineaProvider	(Optional) Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
`secretserver` SecretServerProvider	(Optional) SecretServer configures this store to sync secrets using SecretServer provider https://docs.delinea.com/online-help/secret-server/start.htm
`chef` ChefProvider	(Optional) Chef configures this store to sync secrets with chef server
`pulumi` PulumiProvider	(Optional) Pulumi configures this store to sync secrets using the Pulumi provider
`fortanix` FortanixProvider	(Optional) Fortanix configures this store to sync secrets using the Fortanix provider
`passworddepot` PasswordDepotProvider	(Optional)
`passbolt` PassboltProvider	(Optional)
`device42` Device42Provider	(Optional) Device42 configures this store to sync secrets using the Device42 provider
`infisical` InfisicalProvider	(Optional) Infisical configures this store to sync secrets using the Infisical provider
`beyondtrust` BeyondtrustProvider	(Optional) Beyondtrust configures this store to sync secrets using Password Safe provider.

SecretStoreRef

(Appears on: ExternalSecretSpec, StoreGeneratorSourceRef, StoreSourceRef)

SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.

Field	Description
`name` string	Name of the SecretStore resource
`kind` string	(Optional) Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`

SecretStoreRetrySettings

(Appears on: SecretStoreSpec)

Field	Description
`maxRetries` int32
`retryInterval` string

SecretStoreSpec

(Appears on: ClusterSecretStore, SecretStore)

SecretStoreSpec defines the desired state of SecretStore.

Field	Description
`controller` string	(Optional) Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property
`provider` SecretStoreProvider	Used to configure the provider. Only one provider may be set
`retrySettings` SecretStoreRetrySettings	(Optional) Used to configure http retries if failed
`refreshInterval` int	(Optional) Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
`conditions` []ClusterSecretStoreCondition	(Optional) Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore

SecretStoreStatus

(Appears on: ClusterSecretStore, SecretStore)

SecretStoreStatus defines the observed state of the SecretStore.

Field	Description
`conditions` []SecretStoreStatusCondition	(Optional)
`capabilities` SecretStoreCapabilities	(Optional)

SecretStoreStatusCondition

(Appears on: SecretStoreStatus)

Field	Description
`type` SecretStoreConditionType
`status` Kubernetes core/v1.ConditionStatus
`reason` string	(Optional)
`message` string	(Optional)
`lastTransitionTime` Kubernetes meta/v1.Time	(Optional)

SecretsClient

SecretsClient provides access to secrets.

SecretsManager

(Appears on: AWSProvider)

SecretsManager defines how the provider behaves when interacting with AWS SecretsManager. Some of these settings are only applicable to controlling how secrets are deleted, and hence only apply to PushSecret (and only when deletionPolicy is set to Delete).

Field Description

forceDeleteWithoutRecovery
bool

(Optional)

Specifies whether to delete the secret without any recovery window. You can’t use both this parameter and RecoveryWindowInDays in the same call. If you don’t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery

recoveryWindowInDays
int64

(Optional)

The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can’t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don’t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays

SenhaseguraAuth

(Appears on: SenhaseguraProvider)

SenhaseguraAuth tells the controller how to do auth in senhasegura.

Field	Description
`clientId` string
`clientSecretSecretRef` External Secrets meta/v1.SecretKeySelector

SenhaseguraModuleType (`string` alias)

(Appears on: SenhaseguraProvider)

SenhaseguraModuleType enum defines senhasegura target module to fetch secrets

Value	Description
"DSM"	`SenhaseguraModuleDSM is the senhasegura DevOps Secrets Management module see: https://senhasegura.com/devops`

SenhaseguraProvider

(Appears on: SecretStoreProvider)

SenhaseguraProvider setup a store to sync secrets with senhasegura.

Field	Description
`url` string	URL of senhasegura
`module` SenhaseguraModuleType	Module defines which senhasegura module should be used to get secrets
`auth` SenhaseguraAuth	Auth defines parameters to authenticate in senhasegura
`ignoreSslCertificate` bool	IgnoreSslCertificate defines if SSL certificate must be ignored

StoreGeneratorSourceRef

(Appears on: ExternalSecretDataFromRemoteRef)

StoreGeneratorSourceRef allows you to override the source from which the secret will be pulled from. You can define at maximum one property.

Field	Description
`storeRef` SecretStoreRef	(Optional)
`generatorRef` GeneratorRef	(Optional) GeneratorRef points to a generator custom resource.

StoreSourceRef

(Appears on: ExternalSecretData)

StoreSourceRef allows you to override the SecretStore source from which the secret will be pulled from. You can define at maximum one property.

Field Description

storeRef
SecretStoreRef (Optional)

generatorRef
GeneratorRef

GeneratorRef points to a generator custom resource.

Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1.

Tag

Field	Description
`key` string
`value` string

TemplateEngineVersion (`string` alias)

(Appears on: ExternalSecretTemplate)

Value	Description
"v1"
"v2"

TemplateFrom

(Appears on: ExternalSecretTemplate)

Field	Description
`configMap` TemplateRef
`secret` TemplateRef
`target` TemplateTarget	(Optional)
`literal` string	(Optional)

TemplateMergePolicy (`string` alias)

(Appears on: ExternalSecretTemplate)

Value	Description
"Merge"
"Replace"

TemplateRef

(Appears on: TemplateFrom)

Field	Description
`name` string	The name of the ConfigMap/Secret resource
`items` []TemplateRefItem	A list of keys in the ConfigMap/Secret to use as templates for Secret data

TemplateRefItem

(Appears on: TemplateRef)

Field	Description
`key` string	A key in the ConfigMap/Secret
`templateAs` TemplateScope

TemplateScope (`string` alias)

(Appears on: TemplateRefItem)

Value	Description
"KeysAndValues"
"Values"

TemplateTarget (`string` alias)

(Appears on: TemplateFrom)

Value	Description
"Annotations"
"Data"
"Labels"

TokenAuth

(Appears on: KubernetesAuth)

Field	Description
`bearerToken` External Secrets meta/v1.SecretKeySelector

UniversalAuthCredentials

(Appears on: InfisicalAuth)

Field	Description
`clientId` External Secrets meta/v1.SecretKeySelector
`clientSecret` External Secrets meta/v1.SecretKeySelector

ValidationResult (`byte` alias)

Value	Description
2	Error indicates that there is a misconfiguration.
0	Ready indicates that the client is configured correctly and can be used.
1	Unknown indicates that the client can be used but information is missing and it can not be validated.

VaultAppRole

(Appears on: VaultAuth)

VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.

Field	Description
`path` string	Path where the App Role authentication backend is mounted in Vault, e.g: “approle”
`roleId` string	(Optional) RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
`roleRef` External Secrets meta/v1.SecretKeySelector	(Optional) Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
`secretRef` External Secrets meta/v1.SecretKeySelector	Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.

VaultAuth

(Appears on: VaultProvider)

VaultAuth is the configuration used to authenticate with a Vault server. Only one of tokenSecretRef, appRole, kubernetes, ldap, userPass, jwt or cert can be specified. A namespace to authenticate against can optionally be specified.

Field	Description
`namespace` string	(Optional) Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1”. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces This will default to Vault.Namespace field if set, or empty otherwise
`tokenSecretRef` External Secrets meta/v1.SecretKeySelector	(Optional) TokenSecretRef authenticates with Vault by presenting a token.
`appRole` VaultAppRole	(Optional) AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
`kubernetes` VaultKubernetesAuth	(Optional) Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
`ldap` VaultLdapAuth	(Optional) Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
`jwt` VaultJwtAuth	(Optional) Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
`cert` VaultCertAuth	(Optional) Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
`iam` VaultIamAuth	(Optional) Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
`userPass` VaultUserPassAuth	(Optional) UserPass authenticates with Vault by passing username/password pair

VaultAwsAuth

VaultAwsAuth tells the controller how to do authentication with aws. Only one of secretRef or jwt can be specified. if none is specified the controller will try to load credentials from its own service account assuming it is IRSA enabled.

Field	Description
`secretRef` VaultAwsAuthSecretRef	(Optional)
`jwt` VaultAwsJWTAuth	(Optional)

VaultAwsAuthSecretRef

(Appears on: VaultAwsAuth, VaultIamAuth)

VaultAWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.

Field	Description
`accessKeyIDSecretRef` External Secrets meta/v1.SecretKeySelector	The AccessKeyID is used for authentication
`secretAccessKeySecretRef` External Secrets meta/v1.SecretKeySelector	The SecretAccessKey is used for authentication
`sessionTokenSecretRef` External Secrets meta/v1.SecretKeySelector	The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

VaultAwsJWTAuth

(Appears on: VaultAwsAuth, VaultIamAuth)

Authenticate against AWS using service account tokens.

Field	Description
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector

VaultCertAuth

(Appears on: VaultAuth)

VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication method, with the role name and token stored in a Kubernetes Secret resource.

Field	Description
`clientCert` External Secrets meta/v1.SecretKeySelector	(Optional) ClientCert is a certificate to authenticate using the Cert Vault authentication method
`secretRef` External Secrets meta/v1.SecretKeySelector	SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method

VaultClientTLS

(Appears on: VaultProvider)

VaultClientTLS is the configuration used for client side related TLS communication, when the Vault server requires mutual authentication.

Field	Description
`certSecretRef` External Secrets meta/v1.SecretKeySelector	CertSecretRef is a certificate added to the transport layer when communicating with the Vault server. If no key for the Secret is specified, external-secret will default to ‘tls.crt’.
`keySecretRef` External Secrets meta/v1.SecretKeySelector	KeySecretRef to a key in a Secret resource containing client private key added to the transport layer when communicating with the Vault server. If no key for the Secret is specified, external-secret will default to ‘tls.key’.

VaultIamAuth

(Appears on: VaultAuth)

VaultIamAuth authenticates with Vault using the Vault’s AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws

Field	Description
`path` string	Path where the AWS auth method is enabled in Vault, e.g: “aws”
`region` string	AWS region
`role` string	This is the AWS role to be assumed before talking to vault
`vaultRole` string	Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
`externalID` string	AWS External ID set on assumed IAM roles
`vaultAwsIamServerID` string	X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
`secretRef` VaultAwsAuthSecretRef	(Optional) Specify credentials in a Secret object
`jwt` VaultAwsJWTAuth	(Optional) Specify a service account with IRSA enabled

VaultJwtAuth

(Appears on: VaultAuth)

VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication method, with the role name and a token stored in a Kubernetes Secret resource or a Kubernetes service account token retrieved via TokenRequest.

Field	Description
`path` string	Path where the JWT authentication backend is mounted in Vault, e.g: “jwt”
`role` string	(Optional) Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
`kubernetesServiceAccountToken` VaultKubernetesServiceAccountTokenAuth	(Optional) Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.

VaultKVStoreVersion (`string` alias)

(Appears on: VaultProvider)

Value	Description
"v1"
"v2"

VaultKubernetesAuth

(Appears on: VaultAuth)

Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.

Field	Description
`mountPath` string	Path where the Kubernetes authentication backend is mounted in Vault, e.g: “kubernetes”
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector	(Optional) Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
`secretRef` External Secrets meta/v1.SecretKeySelector	(Optional) Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
`role` string	A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.

VaultKubernetesServiceAccountTokenAuth

(Appears on: VaultJwtAuth)

VaultKubernetesServiceAccountTokenAuth authenticates with Vault using a temporary Kubernetes service account token retrieved by the TokenRequest API.

Field	Description
`serviceAccountRef` External Secrets meta/v1.ServiceAccountSelector	Service account field containing the name of a kubernetes ServiceAccount.
`audiences` []string	(Optional) Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead
`expirationSeconds` int64	(Optional) Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.

VaultLdapAuth

(Appears on: VaultAuth)

VaultLdapAuth authenticates with Vault using the LDAP authentication method, with the username and password stored in a Kubernetes Secret resource.

Field	Description
`path` string	Path where the LDAP authentication backend is mounted in Vault, e.g: “ldap”
`username` string	Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
`secretRef` External Secrets meta/v1.SecretKeySelector	SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method

VaultProvider

(Appears on: SecretStoreProvider)

Configures an store to sync secrets using a HashiCorp Vault KV backend.

Field	Description
`auth` VaultAuth	Auth configures how secret-manager authenticates with the Vault server.
`server` string	Server is the connection address for the Vault server, e.g: “https://vault.example.com:8200”.
`path` string	(Optional) Path is the mount path of the Vault KV backend endpoint, e.g: “secret”. The v2 KV secret engine version specific “/data” path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.
`version` VaultKVStoreVersion	Version is the Vault KV secret engine version. This can be either “v1” or “v2”. Version defaults to “v2”.
`namespace` string	(Optional) Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: “ns1”. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
`caBundle` []byte	(Optional) PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
`tls` VaultClientTLS	(Optional) The configuration used for client side related TLS communication, when the Vault server requires mutual authentication. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. It’s worth noting this configuration is different from the “TLS certificates auth method”, which is available under the `auth.cert` section.
`caProvider` CAProvider	(Optional) The provider for the CA bundle to use to validate Vault server certificate.
`readYourWrites` bool	(Optional) ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
`forwardInconsistent` bool	(Optional) ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
`headers` map[string]string	(Optional) Headers to be added in Vault request

VaultUserPassAuth

(Appears on: VaultAuth)

VaultUserPassAuth authenticates with Vault using UserPass authentication method, with the username and password stored in a Kubernetes Secret resource.

Field	Description
`path` string	Path where the UserPassword authentication backend is mounted in Vault, e.g: “user”
`username` string	Username is a user name used to authenticate using the UserPass Vault authentication method
`secretRef` External Secrets meta/v1.SecretKeySelector	SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method

WebhookCAProvider

(Appears on: WebhookProvider)

Defines a location to fetch the cert for the webhook provider from.

Field	Description
`type` WebhookCAProviderType	The type of provider to use such as “Secret”, or “ConfigMap”.
`name` string	The name of the object located at the provider type.
`key` string	The key where the CA certificate can be found in the Secret or ConfigMap.
`namespace` string	(Optional) The namespace the Provider type is in.

WebhookCAProviderType (`string` alias)

(Appears on: WebhookCAProvider)

Value	Description
"ConfigMap"
"Secret"

WebhookProvider

(Appears on: SecretStoreProvider)

AkeylessProvider Configures an store to sync secrets using Akeyless KV.

Field	Description
`method` string	Webhook Method
`url` string	Webhook url to call
`headers` map[string]string	(Optional) Headers
`body` string	(Optional) Body
`timeout` Kubernetes meta/v1.Duration	(Optional) Timeout
`result` WebhookResult	Result formatting
`secrets` []WebhookSecret	(Optional) Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
`caBundle` []byte	(Optional) PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
`caProvider` WebhookCAProvider	(Optional) The provider for the CA bundle to use to validate webhook server certificate.

WebhookResult

(Appears on: WebhookProvider)

Field	Description
`jsonPath` string	(Optional) Json path of return value

WebhookSecret

(Appears on: WebhookProvider)

Field	Description
`name` string	Name of this secret in templates
`secretRef` External Secrets meta/v1.SecretKeySelector	Secret ref to fill in credentials

YandexCertificateManagerAuth

(Appears on: YandexCertificateManagerProvider)

Field	Description
`authorizedKeySecretRef` External Secrets meta/v1.SecretKeySelector	(Optional) The authorized key used for authentication

YandexCertificateManagerCAProvider

(Appears on: YandexCertificateManagerProvider)

Field	Description
`certSecretRef` External Secrets meta/v1.SecretKeySelector

YandexCertificateManagerProvider

(Appears on: SecretStoreProvider)

YandexCertificateManagerProvider Configures a store to sync secrets using the Yandex Certificate Manager provider.

Field	Description
`apiEndpoint` string	(Optional) Yandex.Cloud API endpoint (e.g. ‘api.cloud.yandex.net:443’)
`auth` YandexCertificateManagerAuth	Auth defines the information necessary to authenticate against Yandex Certificate Manager
`caProvider` YandexCertificateManagerCAProvider	(Optional) The provider for the CA bundle to use to validate Yandex.Cloud server certificate.

YandexLockboxAuth

(Appears on: YandexLockboxProvider)

Field	Description
`authorizedKeySecretRef` External Secrets meta/v1.SecretKeySelector	(Optional) The authorized key used for authentication

YandexLockboxCAProvider

(Appears on: YandexLockboxProvider)

Field	Description
`certSecretRef` External Secrets meta/v1.SecretKeySelector

YandexLockboxProvider

(Appears on: SecretStoreProvider)

YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider.

Field	Description
`apiEndpoint` string	(Optional) Yandex.Cloud API endpoint (e.g. ‘api.cloud.yandex.net:443’)
`auth` YandexLockboxAuth	Auth defines the information necessary to authenticate against Yandex Lockbox
`caProvider` YandexLockboxCAProvider	(Optional) The provider for the CA bundle to use to validate Yandex.Cloud server certificate.

Generated with gen-crd-api-reference-docs.

179 KiB Raw Blame History Unescape Escape

external-secrets.io/v1beta1

AWSAuth

AWSAuthSecretRef

AWSJWTAuth

AWSProvider

AWSServiceType (string alias)

AkeylessAuth

AkeylessAuthSecretRef

AkeylessKubernetesAuth

AkeylessProvider

AlibabaAuth

AlibabaAuthSecretRef

AlibabaProvider

AlibabaRRSAAuth

AzureAuthType (string alias)

AzureEnvironmentType (string alias)

AzureKVAuth

AzureKVProvider

BeyondTrustProviderSecretRef

BeyondtrustAuth

BeyondtrustProvider

BeyondtrustServer

BitwardenSecretsManagerAuth

BitwardenSecretsManagerProvider

BitwardenSecretsManagerSecretRef

CAProvider

CAProviderType (string alias)

CertAuth

ChefAuth

ChefAuthSecretRef

ChefProvider

ClusterExternalSecret

ClusterExternalSecretConditionType (string alias)

ClusterExternalSecretNamespaceFailure

ClusterExternalSecretSpec

ClusterExternalSecretStatus

ClusterExternalSecretStatusCondition

ClusterSecretStore

ClusterSecretStoreCondition

ConjurAPIKey

ConjurAuth

ConjurJWT

ConjurProvider

DelineaProvider

DelineaProviderSecretRef

Device42Auth

Device42Provider

Device42SecretRef

DopplerAuth

DopplerAuthSecretRef

DopplerProvider

ExternalSecret

ExternalSecretConditionType (string alias)

ExternalSecretConversionStrategy (string alias)

ExternalSecretCreationPolicy (string alias)

ExternalSecretData

ExternalSecretDataFromRemoteRef

ExternalSecretDataRemoteRef

ExternalSecretDecodingStrategy (string alias)

ExternalSecretDeletionPolicy (string alias)

ExternalSecretFind

ExternalSecretMetadata

ExternalSecretMetadataPolicy (string alias)

ExternalSecretRewrite

ExternalSecretRewriteRegexp

ExternalSecretRewriteTransform

ExternalSecretSpec

ExternalSecretStatus

ExternalSecretStatusCondition

ExternalSecretTarget

ExternalSecretTemplate

ExternalSecretTemplateMetadata

ExternalSecretValidator

FakeProvider

FakeProviderData

FindName

FortanixProvider

FortanixProviderSecretRef

GCPSMAuth

179 KiB

Raw Blame History

AWSServiceType (`string` alias)

AzureAuthType (`string` alias)

AzureEnvironmentType (`string` alias)

CAProviderType (`string` alias)

ClusterExternalSecretConditionType (`string` alias)

ExternalSecretConditionType (`string` alias)

ExternalSecretConversionStrategy (`string` alias)

ExternalSecretCreationPolicy (`string` alias)

ExternalSecretDecodingStrategy (`string` alias)

ExternalSecretDeletionPolicy (`string` alias)

ExternalSecretMetadataPolicy (`string` alias)

OraclePrincipalType (`string` alias)

SecretStoreCapabilities (`string` alias)

SecretStoreConditionType (`string` alias)

SenhaseguraModuleType (`string` alias)

TemplateEngineVersion (`string` alias)

TemplateMergePolicy (`string` alias)