mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
31cecaa62b
* feat: adding support for mTLS to the Vault provider Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>
4176 lines
228 KiB
YAML
4176 lines
228 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.13.0
|
|
name: secretstores.external-secrets.io
|
|
spec:
|
|
group: external-secrets.io
|
|
names:
|
|
categories:
|
|
- externalsecrets
|
|
kind: SecretStore
|
|
listKind: SecretStoreList
|
|
plural: secretstores
|
|
shortNames:
|
|
- ss
|
|
singular: secretstore
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
|
|
name: Status
|
|
type: string
|
|
deprecated: true
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: SecretStore represents a secure external location for storing
|
|
secrets, which can be referenced as part of `storeRef` fields.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: SecretStoreSpec defines the desired state of SecretStore.
|
|
properties:
|
|
controller:
|
|
description: 'Used to select the correct ESO controller (think: ingress.ingressClassName)
|
|
The ESO controller is instantiated with a specific controller name
|
|
and filters ES based on this property'
|
|
type: string
|
|
provider:
|
|
description: Used to configure the provider. Only one provider may
|
|
be set
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
akeyless:
|
|
description: Akeyless configures this store to sync secrets using
|
|
Akeyless Vault provider
|
|
properties:
|
|
akeylessGWApiURL:
|
|
description: Akeyless GW API Url from which the secrets to
|
|
be fetched from.
|
|
type: string
|
|
authSecretRef:
|
|
description: Auth configures how the operator authenticates
|
|
with Akeyless.
|
|
properties:
|
|
kubernetesAuth:
|
|
description: Kubernetes authenticates with Akeyless by
|
|
passing the ServiceAccount token stored in the named
|
|
Secret resource.
|
|
properties:
|
|
accessID:
|
|
description: the Akeyless Kubernetes auth-method access-id
|
|
type: string
|
|
k8sConfName:
|
|
description: Kubernetes-auth configuration name in
|
|
Akeyless-Gateway
|
|
type: string
|
|
secretRef:
|
|
description: Optional secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with
|
|
Akeyless. If a name is specified without a key,
|
|
`token` is the default. If one is not specified,
|
|
the one bound to the controller will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
serviceAccountRef:
|
|
description: Optional service account field containing
|
|
the name of a kubernetes ServiceAccount. If the
|
|
service account is specified, the service account
|
|
secret token JWT will be used for authenticating
|
|
with Akeyless. If the service account selector is
|
|
not supplied, the secretRef will be used instead.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- accessID
|
|
- k8sConfName
|
|
type: object
|
|
secretRef:
|
|
description: Reference to a Secret that contains the details
|
|
to authenticate with Akeyless.
|
|
properties:
|
|
accessID:
|
|
description: The SecretAccessID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
accessType:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
accessTypeParam:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM/base64 encoded CA bundle used to validate
|
|
Akeyless Gateway certificate. Only used if the AkeylessGWApiURL
|
|
URL is using HTTPS protocol. If not set the system root
|
|
certificates are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Akeyless Gateway certificate.
|
|
properties:
|
|
key:
|
|
description: The key the value inside of the provider
|
|
type to use, only used with "Secret" type
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
required:
|
|
- akeylessGWApiURL
|
|
- authSecretRef
|
|
type: object
|
|
alibaba:
|
|
description: Alibaba configures this store to sync secrets using
|
|
Alibaba Cloud provider
|
|
properties:
|
|
auth:
|
|
description: AlibabaAuth contains a secretRef for credentials.
|
|
properties:
|
|
rrsa:
|
|
description: Authenticate against Alibaba using RRSA.
|
|
properties:
|
|
oidcProviderArn:
|
|
type: string
|
|
oidcTokenFilePath:
|
|
type: string
|
|
roleArn:
|
|
type: string
|
|
sessionName:
|
|
type: string
|
|
required:
|
|
- oidcProviderArn
|
|
- oidcTokenFilePath
|
|
- roleArn
|
|
- sessionName
|
|
type: object
|
|
secretRef:
|
|
description: AlibabaAuthSecretRef holds secret references
|
|
for Alibaba credentials.
|
|
properties:
|
|
accessKeyIDSecretRef:
|
|
description: The AccessKeyID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
accessKeySecretSecretRef:
|
|
description: The AccessKeySecret is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- accessKeyIDSecretRef
|
|
- accessKeySecretSecretRef
|
|
type: object
|
|
type: object
|
|
regionID:
|
|
description: Alibaba Region to be used for the provider
|
|
type: string
|
|
required:
|
|
- auth
|
|
- regionID
|
|
type: object
|
|
aws:
|
|
description: AWS configures this store to sync secrets using AWS
|
|
Secret Manager provider
|
|
properties:
|
|
auth:
|
|
description: 'Auth defines the information necessary to authenticate
|
|
against AWS if not set aws sdk will infer credentials from
|
|
your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
properties:
|
|
jwt:
|
|
description: Authenticate against AWS using service account
|
|
tokens.
|
|
properties:
|
|
serviceAccountRef:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
secretRef:
|
|
description: AWSAuthSecretRef holds secret references
|
|
for AWS credentials both AccessKeyID and SecretAccessKey
|
|
must be defined in order to properly authenticate.
|
|
properties:
|
|
accessKeyIDSecretRef:
|
|
description: The AccessKeyID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
region:
|
|
description: AWS Region to be used for the provider
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the SecretManager provider
|
|
will assume
|
|
type: string
|
|
service:
|
|
description: Service defines which service should be used
|
|
to fetch the secrets
|
|
enum:
|
|
- SecretsManager
|
|
- ParameterStore
|
|
type: string
|
|
required:
|
|
- region
|
|
- service
|
|
type: object
|
|
azurekv:
|
|
description: AzureKV configures this store to sync secrets using
|
|
Azure Key Vault provider
|
|
properties:
|
|
authSecretRef:
|
|
description: Auth configures how the operator authenticates
|
|
with Azure. Required for ServicePrincipal auth type.
|
|
properties:
|
|
clientId:
|
|
description: The Azure clientId of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
clientSecret:
|
|
description: The Azure ClientSecret of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
authType:
|
|
default: ServicePrincipal
|
|
description: 'Auth type defines how to authenticate to the
|
|
keyvault service. Valid values are: - "ServicePrincipal"
|
|
(default): Using a service principal (tenantId, clientId,
|
|
clientSecret) - "ManagedIdentity": Using Managed Identity
|
|
assigned to the pod (see aad-pod-identity)'
|
|
enum:
|
|
- ServicePrincipal
|
|
- ManagedIdentity
|
|
- WorkloadIdentity
|
|
type: string
|
|
identityId:
|
|
description: If multiple Managed Identity is assigned to the
|
|
pod, you can select the one to be used
|
|
type: string
|
|
serviceAccountRef:
|
|
description: ServiceAccountRef specified the service account
|
|
that should be used when authenticating with WorkloadIdentity.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim for the
|
|
service account token If the service account uses a
|
|
well-known annotation for e.g. IRSA or GCP Workload
|
|
Identity then this audiences will be appended to the
|
|
list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
tenantId:
|
|
description: TenantID configures the Azure Tenant to send
|
|
requests to. Required for ServicePrincipal auth type.
|
|
type: string
|
|
vaultUrl:
|
|
description: Vault Url from which the secrets to be fetched
|
|
from.
|
|
type: string
|
|
required:
|
|
- vaultUrl
|
|
type: object
|
|
fake:
|
|
description: Fake configures a store with static key/value pairs
|
|
properties:
|
|
data:
|
|
items:
|
|
properties:
|
|
key:
|
|
type: string
|
|
value:
|
|
type: string
|
|
valueMap:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
version:
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
required:
|
|
- data
|
|
type: object
|
|
gcpsm:
|
|
description: GCPSM configures this store to sync secrets using
|
|
Google Cloud Platform Secret Manager provider
|
|
properties:
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against GCP
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
workloadIdentity:
|
|
properties:
|
|
clusterLocation:
|
|
type: string
|
|
clusterName:
|
|
type: string
|
|
clusterProjectID:
|
|
type: string
|
|
serviceAccountRef:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- clusterLocation
|
|
- clusterName
|
|
- serviceAccountRef
|
|
type: object
|
|
type: object
|
|
projectID:
|
|
description: ProjectID project where secret is located
|
|
type: string
|
|
type: object
|
|
gitlab:
|
|
description: GitLab configures this store to sync secrets using
|
|
GitLab Variables provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with a GitLab instance.
|
|
properties:
|
|
SecretRef:
|
|
properties:
|
|
accessToken:
|
|
description: AccessToken is used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- SecretRef
|
|
type: object
|
|
projectID:
|
|
description: ProjectID specifies a project where secrets are
|
|
located.
|
|
type: string
|
|
url:
|
|
description: URL configures the GitLab instance URL. Defaults
|
|
to https://gitlab.com/.
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
ibm:
|
|
description: IBM configures this store to sync secrets using IBM
|
|
Cloud provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the IBM secrets manager.
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
secretApiKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
serviceUrl:
|
|
description: ServiceURL is the Endpoint URL that is specific
|
|
to the Secrets Manager service instance
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes configures this store to sync secrets
|
|
using a Kubernetes cluster provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with a Kubernetes instance.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
cert:
|
|
description: has both clientCert and clientKey as secretKeySelector
|
|
properties:
|
|
clientCert:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
clientKey:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
serviceAccount:
|
|
description: points to a service account that should be
|
|
used for authentication
|
|
properties:
|
|
serviceAccount:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
token:
|
|
description: use static token to authenticate with
|
|
properties:
|
|
bearerToken:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
remoteNamespace:
|
|
default: default
|
|
description: Remote namespace to fetch the secrets from
|
|
type: string
|
|
server:
|
|
description: configures the Kubernetes server Address.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a base64-encoded CA certificate
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
|
|
properties:
|
|
key:
|
|
description: The key the value inside of the provider
|
|
type to use, only used with "Secret" type
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the
|
|
provider type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
url:
|
|
default: kubernetes.default
|
|
description: configures the Kubernetes server Address.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- auth
|
|
type: object
|
|
oracle:
|
|
description: Oracle configures this store to sync secrets using
|
|
Oracle Vault provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the Oracle Vault. If empty, instance principal is used.
|
|
Optionally, the authenticating principal type and/or user
|
|
data may be supplied for the use of workload identity and
|
|
user principal.
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef to pass through sensitive information.
|
|
properties:
|
|
fingerprint:
|
|
description: Fingerprint is the fingerprint of the
|
|
API private key.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
privatekey:
|
|
description: PrivateKey is the user's API Signing
|
|
Key in PEM format, used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- fingerprint
|
|
- privatekey
|
|
type: object
|
|
tenancy:
|
|
description: Tenancy is the tenancy OCID where user is
|
|
located.
|
|
type: string
|
|
user:
|
|
description: User is an access OCID specific to the account.
|
|
type: string
|
|
required:
|
|
- secretRef
|
|
- tenancy
|
|
- user
|
|
type: object
|
|
compartment:
|
|
description: Compartment is the vault compartment OCID. Required
|
|
for PushSecret
|
|
type: string
|
|
encryptionKey:
|
|
description: EncryptionKey is the OCID of the encryption key
|
|
within the vault. Required for PushSecret
|
|
type: string
|
|
principalType:
|
|
description: The type of principal to use for authentication.
|
|
If left blank, the Auth struct will determine the principal
|
|
type. This optional field must be specified if using workload
|
|
identity.
|
|
enum:
|
|
- ""
|
|
- UserPrincipal
|
|
- InstancePrincipal
|
|
- Workload
|
|
type: string
|
|
region:
|
|
description: Region is the region where vault is located.
|
|
type: string
|
|
serviceAccountRef:
|
|
description: ServiceAccountRef specified the service account
|
|
that should be used when authenticating with WorkloadIdentity.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim for the
|
|
service account token If the service account uses a
|
|
well-known annotation for e.g. IRSA or GCP Workload
|
|
Identity then this audiences will be appended to the
|
|
list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
vault:
|
|
description: Vault is the vault's OCID of the specific vault
|
|
where secret is located.
|
|
type: string
|
|
required:
|
|
- region
|
|
- vault
|
|
type: object
|
|
vault:
|
|
description: Vault configures this store to sync secrets using
|
|
Hashi provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the
|
|
App Role auth mechanism, with the role and secret stored
|
|
in a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
default: approle
|
|
description: 'Path where the App Role authentication
|
|
backend is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend
|
|
in Vault.
|
|
type: string
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the
|
|
app role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
cert:
|
|
description: Cert authenticates with TLS Certificates
|
|
by passing client certificate, private key and ca certificate
|
|
Cert authentication method
|
|
properties:
|
|
clientCert:
|
|
description: ClientCert is a certificate to authenticate
|
|
using the Cert Vault authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing client private key to authenticate with
|
|
Vault using the Cert authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
jwt:
|
|
description: Jwt authenticates with Vault by passing role
|
|
and JWT token using the JWT/OIDC authentication method
|
|
properties:
|
|
kubernetesServiceAccountToken:
|
|
description: Optional ServiceAccountToken specifies
|
|
the Kubernetes service account for which to request
|
|
a token for with the `TokenRequest` API.
|
|
properties:
|
|
audiences:
|
|
description: Optional audiences field that will
|
|
be used to request a temporary Kubernetes service
|
|
account token for the service account referenced
|
|
by `serviceAccountRef`. Defaults to a single
|
|
audience `vault` it not specified.
|
|
items:
|
|
type: string
|
|
type: array
|
|
expirationSeconds:
|
|
description: Optional expiration time in seconds
|
|
that will be used to request a temporary Kubernetes
|
|
service account token for the service account
|
|
referenced by `serviceAccountRef`. Defaults
|
|
to 10 minutes.
|
|
format: int64
|
|
type: integer
|
|
serviceAccountRef:
|
|
description: Service account field containing
|
|
the name of a kubernetes ServiceAccount.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud`
|
|
claim for the service account token If the
|
|
service account uses a well-known annotation
|
|
for e.g. IRSA or GCP Workload Identity then
|
|
this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount
|
|
resource being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being
|
|
referred to. Ignored if referent is not
|
|
cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- serviceAccountRef
|
|
type: object
|
|
path:
|
|
default: jwt
|
|
description: 'Path where the JWT authentication backend
|
|
is mounted in Vault, e.g: "jwt"'
|
|
type: string
|
|
role:
|
|
description: Role is a JWT role to authenticate using
|
|
the JWT/OIDC Vault authentication method
|
|
type: string
|
|
secretRef:
|
|
description: Optional SecretRef that refers to a key
|
|
in a Secret resource containing JWT token to authenticate
|
|
with Vault using the JWT/OIDC authentication method.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- path
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret
|
|
resource to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
default: kubernetes
|
|
description: 'Path where the Kubernetes authentication
|
|
backend is mounted in Vault, e.g: "kubernetes"'
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault
|
|
Role to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: Optional secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with
|
|
Vault. If a name is specified without a key, `token`
|
|
is the default. If one is not specified, the one
|
|
bound to the controller will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
serviceAccountRef:
|
|
description: Optional service account field containing
|
|
the name of a kubernetes ServiceAccount. If the
|
|
service account is specified, the service account
|
|
secret token JWT will be used for authenticating
|
|
with Vault. If the service account selector is not
|
|
supplied, the secretRef will be used instead.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- mountPath
|
|
- role
|
|
type: object
|
|
ldap:
|
|
description: Ldap authenticates with Vault by passing
|
|
username/password pair using the LDAP authentication
|
|
method
|
|
properties:
|
|
path:
|
|
default: ldap
|
|
description: 'Path where the LDAP authentication backend
|
|
is mounted in Vault, e.g: "ldap"'
|
|
type: string
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing password for the LDAP user used to authenticate
|
|
with Vault using the LDAP authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
username:
|
|
description: Username is a LDAP user name used to
|
|
authenticate using the LDAP Vault authentication
|
|
method
|
|
type: string
|
|
required:
|
|
- path
|
|
- username
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by
|
|
presenting a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault
|
|
server certificate. Only used if the Server URL is using
|
|
HTTPS protocol. This parameter is ignored for plain HTTP
|
|
protocol connection. If not set the system root certificates
|
|
are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Vault server certificate.
|
|
properties:
|
|
key:
|
|
description: The key the value inside of the provider
|
|
type to use, only used with "Secret" type
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
forwardInconsistent:
|
|
description: ForwardInconsistent tells Vault to forward read-after-write
|
|
requests to the Vault leader instead of simply retrying
|
|
within a loop. This can increase performance if the option
|
|
is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
|
|
type: boolean
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a
|
|
set of features within Vault Enterprise that allows Vault
|
|
environments to support Secure Multi-tenancy. e.g: "ns1".
|
|
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault KV backend
|
|
endpoint, e.g: "secret". The v2 KV secret engine version
|
|
specific "/data" path suffix for fetching secrets from Vault
|
|
is optional and will be appended if not present in specified
|
|
path.'
|
|
type: string
|
|
readYourWrites:
|
|
description: ReadYourWrites ensures isolated read-after-write
|
|
semantics by providing discovered cluster replication states
|
|
in each request. More information about eventual consistency
|
|
in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
|
|
type: boolean
|
|
server:
|
|
description: 'Server is the connection address for the Vault
|
|
server, e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
version:
|
|
default: v2
|
|
description: Version is the Vault KV secret engine version.
|
|
This can be either "v1" or "v2". Version defaults to "v2".
|
|
enum:
|
|
- v1
|
|
- v2
|
|
type: string
|
|
required:
|
|
- auth
|
|
- server
|
|
type: object
|
|
webhook:
|
|
description: Webhook configures this store to sync secrets using
|
|
a generic templated webhook
|
|
properties:
|
|
body:
|
|
description: Body
|
|
type: string
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate webhook
|
|
server certificate. Only used if the Server URL is using
|
|
HTTPS protocol. This parameter is ignored for plain HTTP
|
|
protocol connection. If not set the system root certificates
|
|
are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
webhook server certificate.
|
|
properties:
|
|
key:
|
|
description: The key the value inside of the provider
|
|
type to use, only used with "Secret" type
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
headers:
|
|
additionalProperties:
|
|
type: string
|
|
description: Headers
|
|
type: object
|
|
method:
|
|
description: Webhook Method
|
|
type: string
|
|
result:
|
|
description: Result formatting
|
|
properties:
|
|
jsonPath:
|
|
description: Json path of return value
|
|
type: string
|
|
type: object
|
|
secrets:
|
|
description: Secrets to fill in templates These secrets will
|
|
be passed to the templating function as key value pairs
|
|
under the given name
|
|
items:
|
|
properties:
|
|
name:
|
|
description: Name of this secret in templates
|
|
type: string
|
|
secretRef:
|
|
description: Secret ref to fill in credentials
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it may
|
|
be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of the
|
|
referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- name
|
|
- secretRef
|
|
type: object
|
|
type: array
|
|
timeout:
|
|
description: Timeout
|
|
type: string
|
|
url:
|
|
description: Webhook url to call
|
|
type: string
|
|
required:
|
|
- result
|
|
- url
|
|
type: object
|
|
yandexlockbox:
|
|
description: YandexLockbox configures this store to sync secrets
|
|
using Yandex Lockbox provider
|
|
properties:
|
|
apiEndpoint:
|
|
description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
|
|
type: string
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against Yandex Lockbox
|
|
properties:
|
|
authorizedKeySecretRef:
|
|
description: The authorized key used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Yandex.Cloud server certificate.
|
|
properties:
|
|
certSecretRef:
|
|
description: A reference to a specific 'key' within a
|
|
Secret resource, In some instances, `key` is a required
|
|
field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- auth
|
|
type: object
|
|
type: object
|
|
retrySettings:
|
|
description: Used to configure http retries if failed
|
|
properties:
|
|
maxRetries:
|
|
format: int32
|
|
type: integer
|
|
retryInterval:
|
|
type: string
|
|
type: object
|
|
required:
|
|
- provider
|
|
type: object
|
|
status:
|
|
description: SecretStoreStatus defines the observed state of the SecretStore.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
properties:
|
|
lastTransitionTime:
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
type: string
|
|
reason:
|
|
type: string
|
|
status:
|
|
type: string
|
|
type:
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .status.capabilities
|
|
name: Capabilities
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: SecretStore represents a secure external location for storing
|
|
secrets, which can be referenced as part of `storeRef` fields.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: SecretStoreSpec defines the desired state of SecretStore.
|
|
properties:
|
|
conditions:
|
|
description: Used to constraint a ClusterSecretStore to specific namespaces.
|
|
Relevant only to ClusterSecretStore
|
|
items:
|
|
description: ClusterSecretStoreCondition describes a condition by
|
|
which to choose namespaces to process ExternalSecrets in for a
|
|
ClusterSecretStore instance.
|
|
properties:
|
|
namespaceSelector:
|
|
description: Choose namespace using a labelSelector
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector
|
|
that contains values, a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values.
|
|
If the operator is In or NotIn, the values array
|
|
must be non-empty. If the operator is Exists or
|
|
DoesNotExist, the values array must be empty. This
|
|
array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs.
|
|
A single {key,value} in the matchLabels map is equivalent
|
|
to an element of matchExpressions, whose key field is
|
|
"key", the operator is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Choose namespaces by name
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
controller:
|
|
description: 'Used to select the correct ESO controller (think: ingress.ingressClassName)
|
|
The ESO controller is instantiated with a specific controller name
|
|
and filters ES based on this property'
|
|
type: string
|
|
provider:
|
|
description: Used to configure the provider. Only one provider may
|
|
be set
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
akeyless:
|
|
description: Akeyless configures this store to sync secrets using
|
|
Akeyless Vault provider
|
|
properties:
|
|
akeylessGWApiURL:
|
|
description: Akeyless GW API Url from which the secrets to
|
|
be fetched from.
|
|
type: string
|
|
authSecretRef:
|
|
description: Auth configures how the operator authenticates
|
|
with Akeyless.
|
|
properties:
|
|
kubernetesAuth:
|
|
description: Kubernetes authenticates with Akeyless by
|
|
passing the ServiceAccount token stored in the named
|
|
Secret resource.
|
|
properties:
|
|
accessID:
|
|
description: the Akeyless Kubernetes auth-method access-id
|
|
type: string
|
|
k8sConfName:
|
|
description: Kubernetes-auth configuration name in
|
|
Akeyless-Gateway
|
|
type: string
|
|
secretRef:
|
|
description: Optional secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with
|
|
Akeyless. If a name is specified without a key,
|
|
`token` is the default. If one is not specified,
|
|
the one bound to the controller will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
serviceAccountRef:
|
|
description: Optional service account field containing
|
|
the name of a kubernetes ServiceAccount. If the
|
|
service account is specified, the service account
|
|
secret token JWT will be used for authenticating
|
|
with Akeyless. If the service account selector is
|
|
not supplied, the secretRef will be used instead.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- accessID
|
|
- k8sConfName
|
|
type: object
|
|
secretRef:
|
|
description: Reference to a Secret that contains the details
|
|
to authenticate with Akeyless.
|
|
properties:
|
|
accessID:
|
|
description: The SecretAccessID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
accessType:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
accessTypeParam:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM/base64 encoded CA bundle used to validate
|
|
Akeyless Gateway certificate. Only used if the AkeylessGWApiURL
|
|
URL is using HTTPS protocol. If not set the system root
|
|
certificates are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Akeyless Gateway certificate.
|
|
properties:
|
|
key:
|
|
description: The key where the CA certificate can be found
|
|
in the Secret or ConfigMap.
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in. Can
|
|
only be defined when used in a ClusterSecretStore.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
required:
|
|
- akeylessGWApiURL
|
|
- authSecretRef
|
|
type: object
|
|
alibaba:
|
|
description: Alibaba configures this store to sync secrets using
|
|
Alibaba Cloud provider
|
|
properties:
|
|
auth:
|
|
description: AlibabaAuth contains a secretRef for credentials.
|
|
properties:
|
|
rrsa:
|
|
description: Authenticate against Alibaba using RRSA.
|
|
properties:
|
|
oidcProviderArn:
|
|
type: string
|
|
oidcTokenFilePath:
|
|
type: string
|
|
roleArn:
|
|
type: string
|
|
sessionName:
|
|
type: string
|
|
required:
|
|
- oidcProviderArn
|
|
- oidcTokenFilePath
|
|
- roleArn
|
|
- sessionName
|
|
type: object
|
|
secretRef:
|
|
description: AlibabaAuthSecretRef holds secret references
|
|
for Alibaba credentials.
|
|
properties:
|
|
accessKeyIDSecretRef:
|
|
description: The AccessKeyID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
accessKeySecretSecretRef:
|
|
description: The AccessKeySecret is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- accessKeyIDSecretRef
|
|
- accessKeySecretSecretRef
|
|
type: object
|
|
type: object
|
|
regionID:
|
|
description: Alibaba Region to be used for the provider
|
|
type: string
|
|
required:
|
|
- auth
|
|
- regionID
|
|
type: object
|
|
aws:
|
|
description: AWS configures this store to sync secrets using AWS
|
|
Secret Manager provider
|
|
properties:
|
|
additionalRoles:
|
|
description: AdditionalRoles is a chained list of Role ARNs
|
|
which the provider will sequentially assume before assuming
|
|
the Role
|
|
items:
|
|
type: string
|
|
type: array
|
|
auth:
|
|
description: 'Auth defines the information necessary to authenticate
|
|
against AWS if not set aws sdk will infer credentials from
|
|
your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
properties:
|
|
jwt:
|
|
description: Authenticate against AWS using service account
|
|
tokens.
|
|
properties:
|
|
serviceAccountRef:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
secretRef:
|
|
description: AWSAuthSecretRef holds secret references
|
|
for AWS credentials both AccessKeyID and SecretAccessKey
|
|
must be defined in order to properly authenticate.
|
|
properties:
|
|
accessKeyIDSecretRef:
|
|
description: The AccessKeyID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
sessionTokenSecretRef:
|
|
description: 'The SessionToken used for authentication
|
|
This must be defined if AccessKeyID and SecretAccessKey
|
|
are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
externalID:
|
|
description: AWS External ID set on assumed IAM roles
|
|
type: string
|
|
region:
|
|
description: AWS Region to be used for the provider
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the provider will assume
|
|
type: string
|
|
secretsManager:
|
|
description: SecretsManager defines how the provider behaves
|
|
when interacting with AWS SecretsManager
|
|
properties:
|
|
forceDeleteWithoutRecovery:
|
|
description: 'Specifies whether to delete the secret without
|
|
any recovery window. You can''t use both this parameter
|
|
and RecoveryWindowInDays in the same call. If you don''t
|
|
use either, then by default Secrets Manager uses a 30
|
|
day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery'
|
|
type: boolean
|
|
recoveryWindowInDays:
|
|
description: 'The number of days from 7 to 30 that Secrets
|
|
Manager waits before permanently deleting the secret.
|
|
You can''t use both this parameter and ForceDeleteWithoutRecovery
|
|
in the same call. If you don''t use either, then by
|
|
default Secrets Manager uses a 30 day recovery window.
|
|
see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
service:
|
|
description: Service defines which service should be used
|
|
to fetch the secrets
|
|
enum:
|
|
- SecretsManager
|
|
- ParameterStore
|
|
type: string
|
|
sessionTags:
|
|
description: AWS STS assume role session tags
|
|
items:
|
|
properties:
|
|
key:
|
|
type: string
|
|
value:
|
|
type: string
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
transitiveTagKeys:
|
|
description: AWS STS assume role transitive session tags.
|
|
Required when multiple rules are used with the provider
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- region
|
|
- service
|
|
type: object
|
|
azurekv:
|
|
description: AzureKV configures this store to sync secrets using
|
|
Azure Key Vault provider
|
|
properties:
|
|
authSecretRef:
|
|
description: Auth configures how the operator authenticates
|
|
with Azure. Required for ServicePrincipal auth type.
|
|
properties:
|
|
clientId:
|
|
description: The Azure clientId of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
clientSecret:
|
|
description: The Azure ClientSecret of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
authType:
|
|
default: ServicePrincipal
|
|
description: 'Auth type defines how to authenticate to the
|
|
keyvault service. Valid values are: - "ServicePrincipal"
|
|
(default): Using a service principal (tenantId, clientId,
|
|
clientSecret) - "ManagedIdentity": Using Managed Identity
|
|
assigned to the pod (see aad-pod-identity)'
|
|
enum:
|
|
- ServicePrincipal
|
|
- ManagedIdentity
|
|
- WorkloadIdentity
|
|
type: string
|
|
environmentType:
|
|
default: PublicCloud
|
|
description: 'EnvironmentType specifies the Azure cloud environment
|
|
endpoints to use for connecting and authenticating with
|
|
Azure. By default it points to the public cloud AAD endpoint.
|
|
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
|
|
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
|
|
enum:
|
|
- PublicCloud
|
|
- USGovernmentCloud
|
|
- ChinaCloud
|
|
- GermanCloud
|
|
type: string
|
|
identityId:
|
|
description: If multiple Managed Identity is assigned to the
|
|
pod, you can select the one to be used
|
|
type: string
|
|
serviceAccountRef:
|
|
description: ServiceAccountRef specified the service account
|
|
that should be used when authenticating with WorkloadIdentity.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim for the
|
|
service account token If the service account uses a
|
|
well-known annotation for e.g. IRSA or GCP Workload
|
|
Identity then this audiences will be appended to the
|
|
list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
tenantId:
|
|
description: TenantID configures the Azure Tenant to send
|
|
requests to. Required for ServicePrincipal auth type.
|
|
type: string
|
|
vaultUrl:
|
|
description: Vault Url from which the secrets to be fetched
|
|
from.
|
|
type: string
|
|
required:
|
|
- vaultUrl
|
|
type: object
|
|
conjur:
|
|
description: Conjur configures this store to sync secrets using
|
|
conjur provider
|
|
properties:
|
|
auth:
|
|
properties:
|
|
apikey:
|
|
properties:
|
|
account:
|
|
type: string
|
|
apiKeyRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
userRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- account
|
|
- apiKeyRef
|
|
- userRef
|
|
type: object
|
|
jwt:
|
|
properties:
|
|
account:
|
|
type: string
|
|
secretRef:
|
|
description: Optional SecretRef that refers to a key
|
|
in a Secret resource containing JWT token to authenticate
|
|
with Conjur using the JWT authentication method.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
serviceAccountRef:
|
|
description: Optional ServiceAccountRef specifies
|
|
the Kubernetes service account for which to request
|
|
a token for with the `TokenRequest` API.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
serviceID:
|
|
description: The conjur authn jwt webservice id
|
|
type: string
|
|
required:
|
|
- account
|
|
- serviceID
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
type: string
|
|
caProvider:
|
|
description: Used to provide custom certificate authority
|
|
(CA) certificates for a secret store. The CAProvider points
|
|
to a Secret or ConfigMap resource that contains a PEM-encoded
|
|
certificate.
|
|
properties:
|
|
key:
|
|
description: The key where the CA certificate can be found
|
|
in the Secret or ConfigMap.
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in. Can
|
|
only be defined when used in a ClusterSecretStore.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
url:
|
|
type: string
|
|
required:
|
|
- auth
|
|
- url
|
|
type: object
|
|
delinea:
|
|
description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
|
|
properties:
|
|
clientId:
|
|
description: ClientID is the non-secret part of the credential.
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef references a key in a secret that
|
|
will be used as value.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
value:
|
|
description: Value can be specified directly to set a
|
|
value without using a secret.
|
|
type: string
|
|
type: object
|
|
clientSecret:
|
|
description: ClientSecret is the secret part of the credential.
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef references a key in a secret that
|
|
will be used as value.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
value:
|
|
description: Value can be specified directly to set a
|
|
value without using a secret.
|
|
type: string
|
|
type: object
|
|
tenant:
|
|
description: Tenant is the chosen hostname / site name.
|
|
type: string
|
|
tld:
|
|
description: TLD is based on the server location that was
|
|
chosen during provisioning. If unset, defaults to "com".
|
|
type: string
|
|
urlTemplate:
|
|
description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
|
|
type: string
|
|
required:
|
|
- clientId
|
|
- clientSecret
|
|
- tenant
|
|
type: object
|
|
doppler:
|
|
description: Doppler configures this store to sync secrets using
|
|
the Doppler provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how the Operator authenticates
|
|
with the Doppler API
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
dopplerToken:
|
|
description: The DopplerToken is used for authentication.
|
|
See https://docs.doppler.com/reference/api#authentication
|
|
for auth token types. The Key attribute defaults
|
|
to dopplerToken if not specified.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- dopplerToken
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
config:
|
|
description: Doppler config (required if not using a Service
|
|
Token)
|
|
type: string
|
|
format:
|
|
description: Format enables the downloading of secrets as
|
|
a file (string)
|
|
enum:
|
|
- json
|
|
- dotnet-json
|
|
- env
|
|
- yaml
|
|
- docker
|
|
type: string
|
|
nameTransformer:
|
|
description: Environment variable compatible name transforms
|
|
that change secret names to a different format
|
|
enum:
|
|
- upper-camel
|
|
- camel
|
|
- lower-snake
|
|
- tf-var
|
|
- dotnet-env
|
|
- lower-kebab
|
|
type: string
|
|
project:
|
|
description: Doppler project (required if not using a Service
|
|
Token)
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
fake:
|
|
description: Fake configures a store with static key/value pairs
|
|
properties:
|
|
data:
|
|
items:
|
|
properties:
|
|
key:
|
|
type: string
|
|
value:
|
|
type: string
|
|
valueMap:
|
|
additionalProperties:
|
|
type: string
|
|
description: 'Deprecated: ValueMap is deprecated and
|
|
is intended to be removed in the future, use the `value`
|
|
field instead.'
|
|
type: object
|
|
version:
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
required:
|
|
- data
|
|
type: object
|
|
gcpsm:
|
|
description: GCPSM configures this store to sync secrets using
|
|
Google Cloud Platform Secret Manager provider
|
|
properties:
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against GCP
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
workloadIdentity:
|
|
properties:
|
|
clusterLocation:
|
|
type: string
|
|
clusterName:
|
|
type: string
|
|
clusterProjectID:
|
|
type: string
|
|
serviceAccountRef:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- clusterLocation
|
|
- clusterName
|
|
- serviceAccountRef
|
|
type: object
|
|
type: object
|
|
projectID:
|
|
description: ProjectID project where secret is located
|
|
type: string
|
|
type: object
|
|
gitlab:
|
|
description: GitLab configures this store to sync secrets using
|
|
GitLab Variables provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with a GitLab instance.
|
|
properties:
|
|
SecretRef:
|
|
properties:
|
|
accessToken:
|
|
description: AccessToken is used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- SecretRef
|
|
type: object
|
|
environment:
|
|
description: Environment environment_scope of gitlab CI/CD
|
|
variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
|
|
on how to create environments)
|
|
type: string
|
|
groupIDs:
|
|
description: GroupIDs specify, which gitlab groups to pull
|
|
secrets from. Group secrets are read from left to right
|
|
followed by the project variables.
|
|
items:
|
|
type: string
|
|
type: array
|
|
inheritFromGroups:
|
|
description: InheritFromGroups specifies whether parent groups
|
|
should be discovered and checked for secrets.
|
|
type: boolean
|
|
projectID:
|
|
description: ProjectID specifies a project where secrets are
|
|
located.
|
|
type: string
|
|
url:
|
|
description: URL configures the GitLab instance URL. Defaults
|
|
to https://gitlab.com/.
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
ibm:
|
|
description: IBM configures this store to sync secrets using IBM
|
|
Cloud provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the IBM secrets manager.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
containerAuth:
|
|
description: IBM Container-based auth with IAM Trusted
|
|
Profile.
|
|
properties:
|
|
iamEndpoint:
|
|
type: string
|
|
profile:
|
|
description: the IBM Trusted Profile
|
|
type: string
|
|
tokenLocation:
|
|
description: Location the token is mounted on the
|
|
pod
|
|
type: string
|
|
required:
|
|
- profile
|
|
type: object
|
|
secretRef:
|
|
properties:
|
|
secretApiKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
serviceUrl:
|
|
description: ServiceURL is the Endpoint URL that is specific
|
|
to the Secrets Manager service instance
|
|
type: string
|
|
required:
|
|
- auth
|
|
type: object
|
|
keepersecurity:
|
|
description: KeeperSecurity configures this store to sync secrets
|
|
using the KeeperSecurity provider
|
|
properties:
|
|
authRef:
|
|
description: A reference to a specific 'key' within a Secret
|
|
resource, In some instances, `key` is a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being referred
|
|
to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
folderID:
|
|
type: string
|
|
required:
|
|
- authRef
|
|
- folderID
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes configures this store to sync secrets
|
|
using a Kubernetes cluster provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with a Kubernetes instance.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
cert:
|
|
description: has both clientCert and clientKey as secretKeySelector
|
|
properties:
|
|
clientCert:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
clientKey:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
serviceAccount:
|
|
description: points to a service account that should be
|
|
used for authentication
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim for
|
|
the service account token If the service account
|
|
uses a well-known annotation for e.g. IRSA or GCP
|
|
Workload Identity then this audiences will be appended
|
|
to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
token:
|
|
description: use static token to authenticate with
|
|
properties:
|
|
bearerToken:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource, In some instances, `key` is a
|
|
required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
remoteNamespace:
|
|
default: default
|
|
description: Remote namespace to fetch the secrets from
|
|
type: string
|
|
server:
|
|
description: configures the Kubernetes server Address.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a base64-encoded CA certificate
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
|
|
properties:
|
|
key:
|
|
description: The key where the CA certificate can
|
|
be found in the Secret or ConfigMap.
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the
|
|
provider type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
Can only be defined when used in a ClusterSecretStore.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
url:
|
|
default: kubernetes.default
|
|
description: configures the Kubernetes server Address.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- auth
|
|
type: object
|
|
onepassword:
|
|
description: OnePassword configures this store to sync secrets
|
|
using the 1Password Cloud provider
|
|
properties:
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against OnePassword Connect Server
|
|
properties:
|
|
secretRef:
|
|
description: OnePasswordAuthSecretRef holds secret references
|
|
for 1Password credentials.
|
|
properties:
|
|
connectTokenSecretRef:
|
|
description: The ConnectToken is used for authentication
|
|
to a 1Password Connect Server.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- connectTokenSecretRef
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
connectHost:
|
|
description: ConnectHost defines the OnePassword Connect Server
|
|
to connect to
|
|
type: string
|
|
vaults:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Vaults defines which OnePassword vaults to search
|
|
in which order
|
|
type: object
|
|
required:
|
|
- auth
|
|
- connectHost
|
|
- vaults
|
|
type: object
|
|
oracle:
|
|
description: Oracle configures this store to sync secrets using
|
|
Oracle Vault provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the Oracle Vault. If empty, use the instance principal,
|
|
otherwise the user credentials specified in Auth.
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef to pass through sensitive information.
|
|
properties:
|
|
fingerprint:
|
|
description: Fingerprint is the fingerprint of the
|
|
API private key.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
privatekey:
|
|
description: PrivateKey is the user's API Signing
|
|
Key in PEM format, used for authentication.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- fingerprint
|
|
- privatekey
|
|
type: object
|
|
tenancy:
|
|
description: Tenancy is the tenancy OCID where user is
|
|
located.
|
|
type: string
|
|
user:
|
|
description: User is an access OCID specific to the account.
|
|
type: string
|
|
required:
|
|
- secretRef
|
|
- tenancy
|
|
- user
|
|
type: object
|
|
compartment:
|
|
description: Compartment is the vault compartment OCID. Required
|
|
for PushSecret
|
|
type: string
|
|
encryptionKey:
|
|
description: EncryptionKey is the OCID of the encryption key
|
|
within the vault. Required for PushSecret
|
|
type: string
|
|
principalType:
|
|
description: The type of principal to use for authentication.
|
|
If left blank, the Auth struct will determine the principal
|
|
type. This optional field must be specified if using workload
|
|
identity.
|
|
enum:
|
|
- ""
|
|
- UserPrincipal
|
|
- InstancePrincipal
|
|
- Workload
|
|
type: string
|
|
region:
|
|
description: Region is the region where vault is located.
|
|
type: string
|
|
serviceAccountRef:
|
|
description: ServiceAccountRef specified the service account
|
|
that should be used when authenticating with WorkloadIdentity.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim for the
|
|
service account token If the service account uses a
|
|
well-known annotation for e.g. IRSA or GCP Workload
|
|
Identity then this audiences will be appended to the
|
|
list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
vault:
|
|
description: Vault is the vault's OCID of the specific vault
|
|
where secret is located.
|
|
type: string
|
|
required:
|
|
- region
|
|
- vault
|
|
type: object
|
|
scaleway:
|
|
description: Scaleway
|
|
properties:
|
|
accessKey:
|
|
description: AccessKey is the non-secret part of the api key.
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef references a key in a secret that
|
|
will be used as value.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
value:
|
|
description: Value can be specified directly to set a
|
|
value without using a secret.
|
|
type: string
|
|
type: object
|
|
apiUrl:
|
|
description: APIURL is the url of the api to use. Defaults
|
|
to https://api.scaleway.com
|
|
type: string
|
|
projectId:
|
|
description: 'ProjectID is the id of your project, which you
|
|
can find in the console: https://console.scaleway.com/project/settings'
|
|
type: string
|
|
region:
|
|
description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
|
|
type: string
|
|
secretKey:
|
|
description: SecretKey is the non-secret part of the api key.
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef references a key in a secret that
|
|
will be used as value.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
value:
|
|
description: Value can be specified directly to set a
|
|
value without using a secret.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- accessKey
|
|
- projectId
|
|
- region
|
|
- secretKey
|
|
type: object
|
|
senhasegura:
|
|
description: Senhasegura configures this store to sync secrets
|
|
using senhasegura provider
|
|
properties:
|
|
auth:
|
|
description: Auth defines parameters to authenticate in senhasegura
|
|
properties:
|
|
clientId:
|
|
type: string
|
|
clientSecretSecretRef:
|
|
description: A reference to a specific 'key' within a
|
|
Secret resource, In some instances, `key` is a required
|
|
field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- clientId
|
|
- clientSecretSecretRef
|
|
type: object
|
|
ignoreSslCertificate:
|
|
default: false
|
|
description: IgnoreSslCertificate defines if SSL certificate
|
|
must be ignored
|
|
type: boolean
|
|
module:
|
|
description: Module defines which senhasegura module should
|
|
be used to get secrets
|
|
type: string
|
|
url:
|
|
description: URL of senhasegura
|
|
type: string
|
|
required:
|
|
- auth
|
|
- module
|
|
- url
|
|
type: object
|
|
vault:
|
|
description: Vault configures this store to sync secrets using
|
|
Hashi provider
|
|
properties:
|
|
auth:
|
|
description: Auth configures how secret-manager authenticates
|
|
with the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the
|
|
App Role auth mechanism, with the role and secret stored
|
|
in a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
default: approle
|
|
description: 'Path where the App Role authentication
|
|
backend is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend
|
|
in Vault.
|
|
type: string
|
|
roleRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role ID used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the
|
|
app role id.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the
|
|
app role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- path
|
|
- secretRef
|
|
type: object
|
|
cert:
|
|
description: Cert authenticates with TLS Certificates
|
|
by passing client certificate, private key and ca certificate
|
|
Cert authentication method
|
|
properties:
|
|
clientCert:
|
|
description: ClientCert is a certificate to authenticate
|
|
using the Cert Vault authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing client private key to authenticate with
|
|
Vault using the Cert authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
iam:
|
|
description: Iam authenticates with vault by passing a
|
|
special AWS request signed with AWS IAM credentials
|
|
AWS IAM authentication method
|
|
properties:
|
|
externalID:
|
|
description: AWS External ID set on assumed IAM roles
|
|
type: string
|
|
jwt:
|
|
description: Specify a service account with IRSA enabled
|
|
properties:
|
|
serviceAccountRef:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud`
|
|
claim for the service account token If the
|
|
service account uses a well-known annotation
|
|
for e.g. IRSA or GCP Workload Identity then
|
|
this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount
|
|
resource being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being
|
|
referred to. Ignored if referent is not
|
|
cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
path:
|
|
description: 'Path where the AWS auth method is enabled
|
|
in Vault, e.g: "aws"'
|
|
type: string
|
|
region:
|
|
description: AWS region
|
|
type: string
|
|
role:
|
|
description: This is the AWS role to be assumed before
|
|
talking to vault
|
|
type: string
|
|
secretRef:
|
|
description: Specify credentials in a Secret object
|
|
properties:
|
|
accessKeyIDSecretRef:
|
|
description: The AccessKeyID is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some
|
|
instances of this field may be defaulted,
|
|
in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being
|
|
referred to. Ignored if referent is not
|
|
cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some
|
|
instances of this field may be defaulted,
|
|
in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being
|
|
referred to. Ignored if referent is not
|
|
cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
sessionTokenSecretRef:
|
|
description: 'The SessionToken used for authentication
|
|
This must be defined if AccessKeyID and SecretAccessKey
|
|
are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some
|
|
instances of this field may be defaulted,
|
|
in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being
|
|
referred to. Ignored if referent is not
|
|
cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
vaultAwsIamServerID:
|
|
description: 'X-Vault-AWS-IAM-Server-ID is an additional
|
|
header used by Vault IAM auth method to mitigate
|
|
against different types of replay attacks. More
|
|
details here: https://developer.hashicorp.com/vault/docs/auth/aws'
|
|
type: string
|
|
vaultRole:
|
|
description: Vault Role. In vault, a role describes
|
|
an identity with a set of permissions, groups, or
|
|
policies you want to attach a user of the secrets
|
|
engine
|
|
type: string
|
|
required:
|
|
- vaultRole
|
|
type: object
|
|
jwt:
|
|
description: Jwt authenticates with Vault by passing role
|
|
and JWT token using the JWT/OIDC authentication method
|
|
properties:
|
|
kubernetesServiceAccountToken:
|
|
description: Optional ServiceAccountToken specifies
|
|
the Kubernetes service account for which to request
|
|
a token for with the `TokenRequest` API.
|
|
properties:
|
|
audiences:
|
|
description: 'Optional audiences field that will
|
|
be used to request a temporary Kubernetes service
|
|
account token for the service account referenced
|
|
by `serviceAccountRef`. Defaults to a single
|
|
audience `vault` it not specified. Deprecated:
|
|
use serviceAccountRef.Audiences instead'
|
|
items:
|
|
type: string
|
|
type: array
|
|
expirationSeconds:
|
|
description: 'Optional expiration time in seconds
|
|
that will be used to request a temporary Kubernetes
|
|
service account token for the service account
|
|
referenced by `serviceAccountRef`. Deprecated:
|
|
this will be removed in the future. Defaults
|
|
to 10 minutes.'
|
|
format: int64
|
|
type: integer
|
|
serviceAccountRef:
|
|
description: Service account field containing
|
|
the name of a kubernetes ServiceAccount.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud`
|
|
claim for the service account token If the
|
|
service account uses a well-known annotation
|
|
for e.g. IRSA or GCP Workload Identity then
|
|
this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount
|
|
resource being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being
|
|
referred to. Ignored if referent is not
|
|
cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- serviceAccountRef
|
|
type: object
|
|
path:
|
|
default: jwt
|
|
description: 'Path where the JWT authentication backend
|
|
is mounted in Vault, e.g: "jwt"'
|
|
type: string
|
|
role:
|
|
description: Role is a JWT role to authenticate using
|
|
the JWT/OIDC Vault authentication method
|
|
type: string
|
|
secretRef:
|
|
description: Optional SecretRef that refers to a key
|
|
in a Secret resource containing JWT token to authenticate
|
|
with Vault using the JWT/OIDC authentication method.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- path
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret
|
|
resource to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
default: kubernetes
|
|
description: 'Path where the Kubernetes authentication
|
|
backend is mounted in Vault, e.g: "kubernetes"'
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault
|
|
Role to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: Optional secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with
|
|
Vault. If a name is specified without a key, `token`
|
|
is the default. If one is not specified, the one
|
|
bound to the controller will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
serviceAccountRef:
|
|
description: Optional service account field containing
|
|
the name of a kubernetes ServiceAccount. If the
|
|
service account is specified, the service account
|
|
secret token JWT will be used for authenticating
|
|
with Vault. If the service account selector is not
|
|
supplied, the secretRef will be used instead.
|
|
properties:
|
|
audiences:
|
|
description: Audience specifies the `aud` claim
|
|
for the service account token If the service
|
|
account uses a well-known annotation for e.g.
|
|
IRSA or GCP Workload Identity then this audiences
|
|
will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource
|
|
being referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- mountPath
|
|
- role
|
|
type: object
|
|
ldap:
|
|
description: Ldap authenticates with Vault by passing
|
|
username/password pair using the LDAP authentication
|
|
method
|
|
properties:
|
|
path:
|
|
default: ldap
|
|
description: 'Path where the LDAP authentication backend
|
|
is mounted in Vault, e.g: "ldap"'
|
|
type: string
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing password for the LDAP user used to authenticate
|
|
with Vault using the LDAP authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
username:
|
|
description: Username is a LDAP user name used to
|
|
authenticate using the LDAP Vault authentication
|
|
method
|
|
type: string
|
|
required:
|
|
- path
|
|
- username
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by
|
|
presenting a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
userPass:
|
|
description: UserPass authenticates with Vault by passing
|
|
username/password pair
|
|
properties:
|
|
path:
|
|
default: user
|
|
description: 'Path where the UserPassword authentication
|
|
backend is mounted in Vault, e.g: "user"'
|
|
type: string
|
|
secretRef:
|
|
description: SecretRef to a key in a Secret resource
|
|
containing password for the user used to authenticate
|
|
with Vault using the UserPass authentication method
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it
|
|
may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of
|
|
the referent.
|
|
type: string
|
|
type: object
|
|
username:
|
|
description: Username is a user name used to authenticate
|
|
using the UserPass Vault authentication method
|
|
type: string
|
|
required:
|
|
- path
|
|
- username
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault
|
|
server certificate. Only used if the Server URL is using
|
|
HTTPS protocol. This parameter is ignored for plain HTTP
|
|
protocol connection. If not set the system root certificates
|
|
are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Vault server certificate.
|
|
properties:
|
|
key:
|
|
description: The key where the CA certificate can be found
|
|
in the Secret or ConfigMap.
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in. Can
|
|
only be defined when used in a ClusterSecretStore.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
forwardInconsistent:
|
|
description: ForwardInconsistent tells Vault to forward read-after-write
|
|
requests to the Vault leader instead of simply retrying
|
|
within a loop. This can increase performance if the option
|
|
is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
|
|
type: boolean
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a
|
|
set of features within Vault Enterprise that allows Vault
|
|
environments to support Secure Multi-tenancy. e.g: "ns1".
|
|
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault KV backend
|
|
endpoint, e.g: "secret". The v2 KV secret engine version
|
|
specific "/data" path suffix for fetching secrets from Vault
|
|
is optional and will be appended if not present in specified
|
|
path.'
|
|
type: string
|
|
readYourWrites:
|
|
description: ReadYourWrites ensures isolated read-after-write
|
|
semantics by providing discovered cluster replication states
|
|
in each request. More information about eventual consistency
|
|
in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
|
|
type: boolean
|
|
server:
|
|
description: 'Server is the connection address for the Vault
|
|
server, e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
tls:
|
|
description: The configuration used for client side related
|
|
TLS communication, when the Vault server requires mutual
|
|
authentication. Only used if the Server URL is using HTTPS
|
|
protocol. This parameter is ignored for plain HTTP protocol
|
|
connection. It's worth noting this configuration is different
|
|
from the "TLS certificates auth method", which is available
|
|
under the `auth.cert` section.
|
|
properties:
|
|
certSecretRef:
|
|
description: CertSecretRef is a certificate added to the
|
|
transport layer when communicating with the Vault server.
|
|
If no key for the Secret is specified, external-secret
|
|
will default to 'tls.crt'.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
keySecretRef:
|
|
description: KeySecretRef to a key in a Secret resource
|
|
containing client private key added to the transport
|
|
layer when communicating with the Vault server. If no
|
|
key for the Secret is specified, external-secret will
|
|
default to 'tls.key'.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
version:
|
|
default: v2
|
|
description: Version is the Vault KV secret engine version.
|
|
This can be either "v1" or "v2". Version defaults to "v2".
|
|
enum:
|
|
- v1
|
|
- v2
|
|
type: string
|
|
required:
|
|
- auth
|
|
- server
|
|
type: object
|
|
webhook:
|
|
description: Webhook configures this store to sync secrets using
|
|
a generic templated webhook
|
|
properties:
|
|
body:
|
|
description: Body
|
|
type: string
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate webhook
|
|
server certificate. Only used if the Server URL is using
|
|
HTTPS protocol. This parameter is ignored for plain HTTP
|
|
protocol connection. If not set the system root certificates
|
|
are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
webhook server certificate.
|
|
properties:
|
|
key:
|
|
description: The key the value inside of the provider
|
|
type to use, only used with "Secret" type
|
|
type: string
|
|
name:
|
|
description: The name of the object located at the provider
|
|
type.
|
|
type: string
|
|
namespace:
|
|
description: The namespace the Provider type is in.
|
|
type: string
|
|
type:
|
|
description: The type of provider to use such as "Secret",
|
|
or "ConfigMap".
|
|
enum:
|
|
- Secret
|
|
- ConfigMap
|
|
type: string
|
|
required:
|
|
- name
|
|
- type
|
|
type: object
|
|
headers:
|
|
additionalProperties:
|
|
type: string
|
|
description: Headers
|
|
type: object
|
|
method:
|
|
description: Webhook Method
|
|
type: string
|
|
result:
|
|
description: Result formatting
|
|
properties:
|
|
jsonPath:
|
|
description: Json path of return value
|
|
type: string
|
|
type: object
|
|
secrets:
|
|
description: Secrets to fill in templates These secrets will
|
|
be passed to the templating function as key value pairs
|
|
under the given name
|
|
items:
|
|
properties:
|
|
name:
|
|
description: Name of this secret in templates
|
|
type: string
|
|
secretRef:
|
|
description: Secret ref to fill in credentials
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others it may
|
|
be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped.
|
|
cluster-scoped defaults to the namespace of the
|
|
referent.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- name
|
|
- secretRef
|
|
type: object
|
|
type: array
|
|
timeout:
|
|
description: Timeout
|
|
type: string
|
|
url:
|
|
description: Webhook url to call
|
|
type: string
|
|
required:
|
|
- result
|
|
- url
|
|
type: object
|
|
yandexcertificatemanager:
|
|
description: YandexCertificateManager configures this store to
|
|
sync secrets using Yandex Certificate Manager provider
|
|
properties:
|
|
apiEndpoint:
|
|
description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
|
|
type: string
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against Yandex Certificate Manager
|
|
properties:
|
|
authorizedKeySecretRef:
|
|
description: The authorized key used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Yandex.Cloud server certificate.
|
|
properties:
|
|
certSecretRef:
|
|
description: A reference to a specific 'key' within a
|
|
Secret resource, In some instances, `key` is a required
|
|
field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- auth
|
|
type: object
|
|
yandexlockbox:
|
|
description: YandexLockbox configures this store to sync secrets
|
|
using Yandex Lockbox provider
|
|
properties:
|
|
apiEndpoint:
|
|
description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
|
|
type: string
|
|
auth:
|
|
description: Auth defines the information necessary to authenticate
|
|
against Yandex Lockbox
|
|
properties:
|
|
authorizedKeySecretRef:
|
|
description: The authorized key used for authentication
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
caProvider:
|
|
description: The provider for the CA bundle to use to validate
|
|
Yandex.Cloud server certificate.
|
|
properties:
|
|
certSecretRef:
|
|
description: A reference to a specific 'key' within a
|
|
Secret resource, In some instances, `key` is a required
|
|
field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the resource being referred
|
|
to. Ignored if referent is not cluster-scoped. cluster-scoped
|
|
defaults to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- auth
|
|
type: object
|
|
type: object
|
|
refreshInterval:
|
|
description: Used to configure store refresh interval in seconds.
|
|
Empty or 0 will default to the controller config.
|
|
type: integer
|
|
retrySettings:
|
|
description: Used to configure http retries if failed
|
|
properties:
|
|
maxRetries:
|
|
format: int32
|
|
type: integer
|
|
retryInterval:
|
|
type: string
|
|
type: object
|
|
required:
|
|
- provider
|
|
type: object
|
|
status:
|
|
description: SecretStoreStatus defines the observed state of the SecretStore.
|
|
properties:
|
|
capabilities:
|
|
description: SecretStoreCapabilities defines the possible operations
|
|
a SecretStore can do.
|
|
type: string
|
|
conditions:
|
|
items:
|
|
properties:
|
|
lastTransitionTime:
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
type: string
|
|
reason:
|
|
type: string
|
|
status:
|
|
type: string
|
|
type:
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|